CVE-2024-32875: Hugo Markdown titles do not escaped in internal render hooks

April 23, 2024

Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files.

References

github.com/advisories/GHSA-ppf8-hhpp-f5hj
github.com/gohugoio/hugo
github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1
github.com/gohugoio/hugo/releases/tag/v0.125.3
github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
nvd.nist.gov/vuln/detail/CVE-2024-32875

Code Behaviors & Features

Detect and mitigate CVE-2024-32875 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →