Impact
Ghost versions 6.0.9 through 6.21.0 perform outbound HTTP requests after checking that the destination is not a private IP address. An attacker can use DNS rebinding to make that check fail, causing Ghost to reach arbitrary internal hosts via its external‑fetch features. The result is that the server can expose or exfiltrate data from internal services. This flaw maps to CWE‑918 and the underlying DNS rebinding weakness described by CWE‑367. The issue was addressed in 6.21.1.
Affected Systems
The affected product is TryGhost Ghost CMS. Versions from 6.0.9 through 6.21.0 are vulnerable, with the fix delivered in 6.21.1.
Risk and Exploitability
The CVSS score is 4, indicating a moderate risk. No EPSS score is currently available and the vulnerability is not listed in the CISA KEV catalog. The attack still requires that the attacker can influence Ghost to perform an outbound request, such as by submitting a crafted URL or triggering a content source fetch. The DNS rebinding bypass removes the private‑IP check, effectively turning Ghost into a proxy for internal network access.
OpenCVE Enrichment