Impact
Ghost does not validate the host of an image URL used in a post; when a post is re‑rendered, a missing image size causes Ghost to fetch the image from the URL specified by the staff user. This behavior can be exploited to make Ghost initiate outbound HTTP requests to attacker‑controlled hosts, including internal network addresses or cloud metadata services. The resulting request can expose sensitive internal information or be used as a stepping stone for further attacks, but it does not provide direct code execution on the server or full system compromise. The weakness corresponds to CWE‑918: Server‑Side Request Forgery.
Affected Systems
The vulnerability affects the Ghost content management system from version 6.19.4 through 6.21.1. All installations of Ghost within this range that allow staff users to create or edit posts are potentially affected. Upgrading to Ghost 6.21.1 or later removes the flaw.
Risk and Exploitability
The CVSS score of 5.4 indicates a moderate severity. No EPSS score is currently available, so the probability of exploitation remains uncertain. Ghost is not listed in the CISA KEV catalog. The vulnerability is exploitable only by authenticated staff users with post editing privileges. An attacker would need to use those privileges to set an image URL pointing to a target internal host or metadata endpoint.
OpenCVE Enrichment