Server-side Request Forgery (SSRF) Affecting ghost package, versions >=6.19.4 <6.21.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.12% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-GHOST-17823186
  • published6 Jul 2026
  • disclosed24 Jun 2026
  • creditUnknown

Introduced: 24 Jun 2026

NewCVE-2026-53946  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade ghost to version 6.21.2 or higher.

Overview

ghost is a publishing platform

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the populateImageSizes process in ghost/core/core/server/lib/mobiledoc.js. An authenticated staff user can trigger the server to make outbound requests to attacker-chosen image URLs by creating or editing a Mobiledoc image card and causing the post to be re-rendered. When populateImageSizes refetches missing image dimensions, it does so for non-local image URLs without restricting the destination host, allowing requests to internal network services or cloud metadata endpoints. This can leak internal data or other sensitive network responses back into Ghost’s processing path and expose infrastructure reachable only from the server.

CVSS Base Scores

version 4.0
version 3.1