2331275 – (CVE-2024-55601) CVE-2024-55601 hugo: some attributes not escaped in internal templates

Bug 2331275 (CVE-2024-55601) - CVE-2024-55601 hugo: some attributes not escaped in internal templates

Summary: CVE-2024-55601 hugo: some attributes not escaped in internal templates

Keywords:
Status:	NEW
Alias:	CVE-2024-55601
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2331358
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-09 22:01 UTC by OSIDB Bzimport
Modified:	2025-06-04 19:36 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-12-09 22:01:17 UTC

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.

Comment 4 W. Michael Petullo 2025-06-04 19:36:34 UTC

Fixed with hugo-0.147.7 in Rawhide, F42, and F41.

Note You need to log in before you can comment on or make changes to this bug.