GHSA-c3wq-j5vh-68rc: Hugo: Symlink confinement bypass in os.ReadFile

Affected versions: v0.123.0 through v0.163.0. Earlier versions are not affected. Fixed in: v0.163.1. Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.

Description. Hugo’s virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target’s contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.