Tag Name: v4.48.6
Release Date: 10/5/2022
GhostOpen-source publishing platform specifically designed for professional bloggers and publications. Focuses on clean, minimalist writing and publishing experience.
Ghost v4.48.6 is a security patch release that fixes a vulnerability in the magic link authentication endpoint. The issue allowed potential spammers to send multiple emails at once by providing comma-separated email addresses, bypassing rate limiting protections. This release adds proper validation to prevent this behavior, ensuring that only one email is sent per request. While this wasn't an authentication bypass vulnerability, it addresses a potential spam vector that could impact email deliverability.
No migration steps are required for this update. This is a drop-in security patch that can be applied without any configuration changes or additional steps.
All Ghost installations should be updated to v4.48.6 as soon as possible to protect against potential abuse of the magic link authentication endpoint. This is a security patch release that addresses a vulnerability which could be exploited for sending spam emails.
The update is backward compatible and requires no configuration changes, making it a straightforward upgrade from v4.48.5.
Fixed an issue in the magic link authentication endpoint where sending a string of comma-separated email addresses would trigger emails to be sent to each address in a single request. This allowed bypassing the normal rate limiting protections for authentication emails.
The fix adds proper validation to ensure only one email address can be processed per request, preventing potential abuse for sending spam emails through the Ghost platform.
No new features were added in this release. This is a security patch release focused on fixing a vulnerability in the magic link authentication endpoint.
Fixed a security issue where the magic link authentication endpoint could be exploited to send multiple emails at once. By providing a string of comma-separated email addresses to the endpoint, an attacker could bypass rate limiting controls and potentially use the Ghost installation as a vector for sending spam emails.
This vulnerability did not allow for authentication bypass but presented a concern for email spam and potential impact on email deliverability for legitimate Ghost communications.
Credit for discovering this vulnerability goes to Sandip Maity ([email protected]).
No specific performance improvements were included in this release. The changes were focused on security enhancements.
This release addresses a security vulnerability in Ghost's magic link authentication system that could potentially be exploited for sending spam emails. By fixing the validation on the authentication endpoint, the update prevents attackers from bypassing rate limiting by submitting multiple comma-separated email addresses in a single request.
While this vulnerability did not allow unauthorized access to Ghost installations, it could have been used as a vector for sending unwanted emails, potentially affecting the email deliverability reputation of Ghost sites. The fix ensures that authentication requests are properly validated and rate-limited as intended.
This is a targeted security patch with minimal code changes (390 changes across 4 files) focused specifically on addressing this issue without introducing any new features or other modifications.
View the changelog for full details:
🪄 Love open source? We're hiring JavaScript Engineers to work on Ghost full-time
