N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-55601

CVE-2024-55601: Hugo does not escape some attributes in internal templates

Impact

Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates.

_default/_markup/render-link.html from v0.123.0
_default/_markup/render-image.html from v0.123.0
_default/_markup/render-table.html from v0.134.0
shortcodes/youtube.html from v0.125.0

Patches

Patched in v0.139.4.

Workarounds

Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault

References

https://github.com/gohugoio/hugo/releases/tag/v0.139.4
https://gohugo.io/about/security/

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-55601

CVE-2024-55601:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gohugoio/hugo	go	>= 0.123.0, < 0.139.4	0.139.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Hugo's internal templates not properly escaping HTML attributes when rendering user-controlled Markdown content. The commit diff shows:

In render hooks (link/image/table), attributes were passed through safeHTMLAttr without escaping
The YouTube shortcode template had multiple unescaped attributes
Patches added transform.HTMLEscape to attribute values
Test cases demonstrate XSS scenarios in attributes These templates directly process user content and output HTML attributes without proper escaping, matching CWE-79's description of improper neutralization during web page generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-55601: Hugo does not escape some attributes in internal templates

Impact

Patches

Workarounds

References

CVE-2024-55601:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

CVE-2024-55601: Hugo does not escape some attributes in internal templates

Impact

Patches

Workarounds

References

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI