We’ve been made aware of a security vulnerability in Ghost versions 4.x prior to 4.48.2 and 5.x prior to 5.2.3. This is patched in the latest releases, which have already been rolled out on Ghost(Pro). Self-hosters should update to 5.2.3 (or 4.48.2 for those still on v4) as soon as possible.
Details:
A vulnerability in an upstream library means an authenticated Admin user can abuse locale input to execute arbitrary commands from a file that has previously been uploaded using the file upload functionality in the post editor.
Ghost(Pro):
Ghost(Pro) has already been patched. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.
Patch & Workarounds:
Patched versions of Ghost add validation to the locale input to prevent execution of arbitrary files. Updating Ghost is the quickest complete solution.
As a workaround, if for any reason you cannot update your Ghost instance, you can block the POST /ghost/api/admin/settings/endpoint, which will also disable updating settings for your site.
Disclosure:
Full details of the vulnerability have been published through GitHub Advisories . We’ve also published a notification to all affected sites that will appear in Ghost Admin and shared the details here on the forum. Affected Ghost sites will also self-notify site owners by email.
We’re grateful to everyone finding and reporting vulnerabilities responsibly following our security policy .