Ghost Release: 4.48.4

TL;DR

Ghost v4.48.4 enhances security with improved rate limiting for user logins

This minor security update changes how Ghost handles login attempt rate limiting. Instead of using a global block that could potentially allow attackers to enumerate email addresses, the system now implements IP-based rate limiting for brute force protection. This targeted approach provides better security against malicious login attempts while maintaining normal functionality for legitimate users.

Highlight of the Release

• Improved security against brute force login attacks
• IP-based rate limiting for login attempts instead of username-based limiting
• Better protection against email address enumeration attacks

Migration Guide

No migration steps are required for this release. The security enhancement is applied automatically when updating to v4.48.4.

This is a patch release that can be safely applied without any configuration changes or additional steps.

Upgrade Recommendations

Priority: High - Security Update

All Ghost installations should be upgraded to v4.48.4 as soon as possible to benefit from the improved security measures for login protection.

To upgrade:

1. Back up your Ghost installation
2. Follow the standard Ghost update procedure for your installation method
3. No configuration changes are needed after the update

This is a minor security patch with minimal changes, so the upgrade process should be straightforward with no expected compatibility issues.

Bug Fixes

Security Bug Fix

Fixed a vulnerability in the login rate limiting system that could potentially allow malicious actors to enumerate email addresses to determine valid user accounts. The fix changes the rate limiting approach from being tied to usernames to being based on the IP address of the login attempt.

This addresses the issue referenced in Team#1074 and implemented in PR #15342.

New Features

No new features were added in this release. This is a security-focused patch release that addresses a specific vulnerability in the login system.

Security Updates

Enhanced Login Security

This release improves the security of Ghost's login system by changing how rate limiting works for login attempts:

• Previous behavior: Rate limiting was tied to usernames, which could potentially allow attackers to enumerate email addresses to determine which accounts exist
• New behavior: Rate limiting is now IP-based, making it more difficult for attackers to determine valid user accounts through brute force attempts
• Impact: This change helps protect user account information and reduces the risk of targeted attacks

This security enhancement was implemented by Fabien 'egg' O'Carroll in PR #15342.

Performance Improvements

No specific performance improvements were included in this release. The changes were focused on security enhancements rather than performance optimization.

Impact Summary

Ghost v4.48.4 is a security-focused patch release that improves how the system handles login attempt rate limiting. By changing from username-based to IP-based rate limiting, Ghost now provides better protection against brute force attacks and prevents potential enumeration of valid email addresses.

This change is particularly important for Ghost installations that are publicly accessible, as it reduces the risk of targeted attacks against specific user accounts. The implementation is transparent to end users and requires no configuration changes.

While this is a relatively small change in terms of code modifications (21 changes across 3 files), it represents an important security enhancement that addresses a specific vulnerability identified in the authentication system.

Full Release Notes