Ghost Release: 5.24.1

TL;DR

Ghost v5.24.1 Security Update

This release addresses a critical security vulnerability in Ghost's relational data handling. By disabling editable relations by default, Ghost prevents unauthorized users from modifying newsletter settings through the members interface. This update is essential for all Ghost 5.x installations to protect against potential data manipulation vulnerabilities.

Highlight of the Release

• Fixed a security vulnerability where members could potentially edit newsletter settings
• Improved data integrity by disabling editable relations by default
• Enhanced security in the model layer to prevent unwanted nested saves
• Made relational data modification patterns safer to use

Migration Guide

Migration Notes

This release changes how Bookshelf relations handle editable permissions. If you have custom code that relies on editing related records through Bookshelf relations, you'll need to explicitly mark those relations as editable.

Example of how to define an editable relation:

// Before v5.24.1, relations were editable by default
this.belongsTo('someModel');

// After v5.24.1, you need to explicitly make relations editable
this.belongsTo('someModel', {editable: true});

Review any custom code that modifies related records to ensure it continues to function as expected after this update.

Upgrade Recommendations

Urgency: Critical

All Ghost installations running version 5.x should update to v5.24.1 immediately to address the security vulnerability. This is a security-focused release with minimal code changes, making it a low-risk update.

To upgrade:

1. Back up your Ghost installation
2. Follow the standard Ghost update process for your installation method
3. If using custom code that interacts with Bookshelf relations, review and update as needed

No database migrations are required for this update.

Bug Fixes

No general bug fixes were included in this security-focused release.

New Features

No new features were introduced in this security-focused release.

Security Updates

Security Vulnerability Fix

This release addresses a security vulnerability (GHSA-9gh8-wp53-ccc6) where Bookshelf relations allowed editing of relational records by default. This vulnerability potentially allowed members to edit newsletter settings they shouldn't have access to.

The fix disables editable relations by default, requiring explicit definition for any relation that should be editable. This change:

• Prevents unwanted nested saves in the model layer
• Blocks unauthorized modification of related records
• Creates a clearer track record of which relations have editable access

Credit for discovering this vulnerability goes to Dave McDaniel and other members of Cisco Talos.

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

This security release addresses a significant vulnerability in Ghost's data model layer that could allow unauthorized modification of newsletter settings through member accounts. By disabling editable relations by default, Ghost now requires explicit permission for any relation that should be able to modify related records.

The change improves the overall security posture of Ghost by preventing unwanted nested saves and creating clearer boundaries around data modification. While this is primarily a security fix, it also represents an architectural improvement in how Ghost handles relational data.

For most users, this update will be transparent with no visible changes to functionality. Developers working with custom code that extends Ghost's models may need to update their code to explicitly enable editable relations where needed.

Full Release Notes