CVE-2024-32875 — Hugo Markdown titles are not escaped in internal render hooks in github.com/gohu

Description

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

How to fix CVE-2024-32875

To remediate CVE-2024-32875, upgrade the affected package to a fixed version below.

—upgrade to 0.125.4-1 or later
—upgrade to 0.125.3 or later
—upgrade to 0.125.3 or later

Is CVE-2024-32875 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.125.4-1
>= 0.123.0, < 0.125.3
>= 0.123.0, < 0.125.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-32875
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-32875
PATCHgithub.com/gohugoio/hugo
WEBgithub.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1
WEB