Ghost Release: 4.3.3

TL;DR

Ghost 4.3.3 delivers a critical security fix by removing an unused and insecure preview endpoint that was vulnerable to exploitation. This release also fixes two important bugs: one that incorrectly set all sites to allow free member signups during migration from 4.3.0, and another that caused staff access tokens to fail. All Ghost 4.x users should update immediately to address the security vulnerability.

Highlight of the Release

• Critical security vulnerability fix by removing an unused and insecure preview endpoint
• Fixed migration issue that incorrectly set all sites to allow free member signups
• Resolved staff access token functionality that broke in 4.3.0

Migration Guide

No specific migration steps are required for this update. Simply update your Ghost installation to version 4.3.3 following the standard update procedure for your deployment method.

Upgrade Recommendations

Immediate upgrade recommended

This release contains a critical security fix that addresses a vulnerability in all Ghost 4.x installations. All users running any version of Ghost 4.x should update to 4.3.3 immediately.

The update is backward compatible and should not cause any disruption to your site's functionality.

Bug Fixes

Fixed Ghost 4.3.0 migration issue

A bug in the migration process from earlier versions to Ghost 4.3.0 was causing all sites to be incorrectly set to "allow free members signup" mode. This happened because:

• The migration moving members_allow_free_signup to members_signup_access was expecting a raw boolean setting value
• The actual value was stored as a string, causing it to always evaluate as truthy
• This made all sites appear to have "allow free members signup" toggled on when generating the new setting's value
• The fix updates the migration to check for an explicit string value in up and set an explicit string value in down

Fixed staff access token error

A regression introduced in Ghost 4.3.0 was causing staff access tokens to fail:

• Previous refactoring converted promise-chained code to async/await, but removed an early return statement
• This caused execution to continue to further code, breaking the functionality in non-obvious ways
• The fix restores the return statement at the end of the block where staff API tokens are handled, matching the original functionality

New Features

No new features were added in this release. This is primarily a security and bug fix release.

Security Updates

Removed unused and insecure preview endpoint

A critical security vulnerability was discovered and fixed in this release:

• An experimental preview endpoint that was developed during the build phase of Ghost 4.0 was left in the codebase but never used
• This endpoint contained a security vulnerability that could be exploited
• The endpoint has been completely removed to address the vulnerability
• This vulnerability affects all Ghost 4.x installations

The security issue was identified and reported by Paul Gerste from SonarSource (https://www.sonarsource.com/).

For more details, see the security advisory.

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

Ghost 4.3.3 is a critical security and bug fix release that addresses a significant security vulnerability in all Ghost 4.x installations. By removing an unused and insecure preview endpoint, this update closes a potential security hole that could be exploited.

Additionally, this release fixes two important bugs: one that incorrectly configured member signup settings during migration, and another that broke staff access token functionality. These fixes ensure that member signup settings are correctly preserved during migrations and that staff API tokens work as expected.

The security fix is particularly important, and all Ghost 4.x users should update immediately to protect their installations. The update is straightforward with no special migration steps required.

Full Release Notes