Commit: "86fbb0f7a8" (https://github.com/gohugoio/hugo/commit/86fbb0f7a8) — security: Validate redirects against security.http.urls Affected versions: v0.91.0 (when "security.http.urls" was introduced) through v0.161.1. Fixed in: v0.162.0. Severity: Only relevant for sites that rely on "security.http.urls" as a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to "resources.GetRemote". Description. "resources.GetRemote" enforces "security.http.urls" on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example, "http://localhost/" or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. Mitigation. v0.162.0 installs a "CheckRedirect" on the HTTP client used by "resources.GetRemote" that re-runs "security.http.urls" on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.