Impact
Ghost is a Node.js content management system that can be deployed behind a shared caching layer. An unauthenticated user may include a custom x-ghost-preview header in an HTTP request that alters the rendering of the frontend page. When the modified content is cached and subsequently served to other visitors, it results in cache poisoning and injection of arbitrary HTML or script. In configurations where the Ghost frontend and admin panel share the same domain, an attacker can leverage the injected code to hijack staff user accounts, effectively gaining elevated privileges. The weakness is classified as CWE-524, reflecting uncontrolled use of an input header to influence output.
Affected Systems
The affected product is Ghost, published by TryGhost. All releases prior to version 6.37.0 are impacted; the issue is resolved in Ghost 6.37.0 and later.
Risk and Exploitability
The vulnerability has a CVSS score of 9.6, indicating a high severity level. No EPSS score is reported and the vulnerability is not listed in CISA KEV. An attacker can exploit it without authentication by sending a crafted HTTP request bearing the x-ghost-preview header; the attack requires the presence of a shared caching mechanism that stores and serves dynamic preview pages across users. If the frontend and admin share the same domain, the resulting cache poisoning enables privilege escalation to staff accounts, presenting a significant risk to both confidentiality and integrity of the system.
OpenCVE Enrichment
Github GHSA