Ghost 6: Ghost CMS SQL Injection (v3.24.0 – v6.19.0)

Reference to original post:

SQL injection in Content API

### Impact A SQL injection vulnerability existed in Ghost’s Content API that allowed unauthenticated attackers to read arbitrary data from the database. ### Vulnerable Versions This vulne…

GitHubTryGhost

The cybersecurity community has identified a significant vulnerability within the Ghost CMS ecosystem. This is a third-party advisory intended to inform all administrators, developers, and stakeholders using the Ghost platform to take immediate action to secure their data.

The Vulnerability: Unauthenticated SQL Injection

A critical flaw has been discovered in Ghost’s Content API. This vulnerability allows an unauthenticated attacker—meaning anyone with access to your site’s public URL—to execute malicious SQL queries.

• Impact: Attackers can potentially read arbitrary data from your database, including user information, private settings, and sensitive site metadata.
• The Risk Factor: Because the Content API key is public by design (embedded in your site's frontend), this vulnerability is highly accessible to automated scanners and malicious actors.

Affected Versions

If you are running any version of Ghost within the following range, your site is currently at risk:

Ghost v3.24.0 through v6.19.0

The Solution: Immediate Patching

The Ghost team has released an official fix. To protect your installation, you must upgrade to the latest patched version immediately.

• Fixed Version: Ghost v6.19.1

How to Update:

1. Backup: Perform a full database and content backup.
2. CLI Update: Run npm install -g ghost-cli@latest to ensure your tools are current.
3. Apply Patch: Execute ghost update in your terminal.

Temporary Mitigation & Workarounds

There is no application-level workaround (such as changing settings or API keys) because the Content API is inherently public.

If you cannot update immediately, you should implement a temporary block at the Network/WAF level (Nginx, Cloudflare, etc.) to filter out malicious requests.

• Filter Rule: Block all Content API requests containing slug%3A%5B or slug:[ in the query string.
• Caution: This mitigation is a "stop-gap" only. It may break legitimate site functionality related to slug filtering and should be removed once you have successfully updated to v6.19.1.

Community Action

We urge all community members to spread this notice to fellow developers and site owners. Check your version numbers today—security is a collective effort.