We’ve been made aware of a security vulnerability in Ghost versions up to v6.19.0. This is patched in v6.19.1, which has been released and rolled out on Ghost(Pro). Self-hosters should update to v6.19.1 as soon as possible.
Details:
A SQL injection vulnerability existed in Ghost’s Content API that allowed unauthenticated attackers to read arbitrary data from the database.
Docker Image:
The Docker image for v6.19.1 is available on Docker Hub here. We’re actively working on improving when and how we release security updates to the Docker image.
Ghost(Pro):
Ghost(Pro) has already been patched. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.
Patch & Workarounds:
There is no application-level workaround. The Content API key is public by design, so restricting key access does not mitigate this vulnerability.
As a temporary mitigation, a reverse proxy or WAF rule can be used to block Content API requests containing slug%3A%5B or slug:[ in the query string filter parameter. Note that this may break legitimate slug filter functionality.
Disclosure:
The vulnerability has been published as a GitHub Security Advisory. We’ve also published a notification to all affected sites that will appear in Ghost Admin and shared the details here on the forum. Affected Ghost versions will also self-notify site owners by email.
We’re grateful to everyone finding and reporting vulnerabilities responsibly following our security policy.