Ghost Release: 5.2.3

TL;DR

Ghost v5.2.3: Critical Security Update

This release addresses a critical Remote Code Execution (RCE) vulnerability in Ghost's date helper functionality. The security fix prevents attackers from exploiting locale settings to execute arbitrary commands through previously uploaded files. All Ghost installations should be updated immediately to protect against this security risk.

Highlight of the Release

• Fixed critical Remote Code Execution (RCE) vulnerability in the date helper functionality
• Security patch for locale setting exploitation that could allow arbitrary command execution
• Updated test and linting packages for improved development workflow

Migration Guide

No migration steps are required for this update. Simply update your Ghost installation to v5.2.3 using your standard update process:

ghost update

Or if using Docker:

docker pull ghost:5.2.3

After updating, no configuration changes or additional steps are needed.

Upgrade Recommendations

Immediate Update Strongly Recommended

Due to the critical nature of the security vulnerability fixed in this release, immediate upgrade is strongly recommended for all Ghost installations regardless of version.

• Priority: Critical
• Timing: Update as soon as possible
• Affected versions: All versions prior to 5.2.3 that use the vulnerable date helper functionality
• Difficulty: Standard update process, no special steps required

This is a drop-in replacement that addresses a serious security issue without introducing breaking changes.

Bug Fixes

Security Bug Fix

Fixed a Remote Code Execution (RCE) vulnerability in the date helper functionality related to locale settings. This vulnerability (tracked as GHSA-7v28-g2pq-ggg8) could allow an attacker to execute arbitrary commands from a file that had been previously uploaded using the post editor's file upload functionality.

New Features

No new features were introduced in this release. This is strictly a security-focused update addressing a critical vulnerability.

Security Updates

Critical Security Fix

This release patches a Remote Code Execution (RCE) vulnerability discovered in Ghost's date helper functionality. The vulnerability, tracked as GHSA-7v28-g2pq-ggg8, was related to an upstream library issue where:

• An attacker could abuse locale input settings to execute arbitrary commands
• The exploit required a file to have been previously uploaded using the post editor's file upload functionality
• The vulnerability could potentially give attackers access to the server running Ghost

Credit for identifying this vulnerability goes to Fabien "egg" O'Carroll.

Performance Improvements

No specific performance improvements were included in this release. The focus was on addressing the critical security vulnerability.

Impact Summary

This release addresses a critical security vulnerability that could allow attackers to execute arbitrary code on servers running Ghost. The Remote Code Execution (RCE) vulnerability in the date helper functionality related to locale settings has been patched, preventing potential server compromises.

The security fix is essential for all Ghost installations, as exploitation could lead to unauthorized access to your server, data breaches, or service disruption. The update is straightforward with no breaking changes, making it a priority update that should be applied immediately.

While this release doesn't introduce new features or performance improvements, the security enhancements significantly improve the overall safety and integrity of Ghost installations. The update also includes improvements to test and linting packages, which benefit the development workflow but don't affect end users directly.

Full Release Notes