CVE-2024-55601: 
Wolfi vulnerability analysis and mitigation

Hugo, a static site generator, contains a vulnerability (CVE-2024-55601) where HTML attributes in Markdown in certain internal templates are not properly escaped. This issue affects versions starting from v0.123.0 and prior to version 0.139.4. The vulnerability impacts Hugo users who do not trust their Markdown content files and are using specific internal templates (GHSA-Advisory).

The vulnerability affects several internal templates including _default/_markup/render-link.html (from v0.123.0), _default/_markup/render-image.html (from v0.123.0), _default/_markup/render-table.html (from v0.134.0), and shortcodes/youtube.html (from v0.125.0). The issue stems from insufficient escaping of HTML attributes in these templates when processing Markdown content (Hugo-Release).

The vulnerability could potentially allow malicious actors to inject unwanted HTML attributes through Markdown content files, affecting sites that do not trust their Markdown content. This is particularly relevant in scenarios where content files come from untrusted sources (GHSA-Advisory).

The issue has been patched in version v0.139.4. Users can either upgrade to this version or implement workarounds by replacing the affected components with user-defined templates or disabling the internal templates. Configuration options for disabling internal templates can be found in Hugo's documentation (Hugo-Docs).