Ghost Release: 5.71.1

TL;DR

Ghost v5.71.1 fixes a security vulnerability where raw mobiledoc and lexical content was accessible through the Content API using the fields parameter, even though this content should not be exposed publicly. This patch ensures that internal content formats remain properly protected, maintaining the integrity of Ghost's content security model.

Highlight of the Release

• Fixed security vulnerability in the Content API that allowed access to raw mobiledoc and lexical content
• Updated post mapper in API output serializers to properly strip internal content formats
• Closed a bypass that allowed accessing protected content formats via the fields parameter

Migration Guide

No migration steps are required for this patch release. The update is fully backward compatible for standard usage of the Content API.

However, if you were explicitly requesting mobiledoc or lexical fields via the Content API's fields parameter in your custom code, you will need to update your implementation as these fields will no longer be available through this API.

Upgrade Recommendations

Immediate Upgrade Recommended

This release fixes a security vulnerability in the Content API. All Ghost installations should be updated to v5.71.1 as soon as possible to ensure content is properly protected.

The update process follows the standard Ghost upgrade path and should not cause any disruption to your site's operation.

Bug Fixes

Security Bug Fix

Fixed an issue where the Content API was exposing raw mobiledoc and lexical content when specifically requested via the fields parameter. While the API was correctly handling content format filtering when using the formats parameter, it wasn't properly filtering these internal formats when they were explicitly requested using the fields parameter.

The fix updates the post mapper used in API output serializers to ensure these fields are always stripped before content is sent through the API, regardless of how the content is requested.

New Features

No new features were introduced in this patch release. This is strictly a security fix release.

Security Updates

Content API Data Exposure Fix

This release patches a security vulnerability where internal content formats (mobiledoc and lexical) were accessible through the Content API when explicitly requested via the fields parameter. These formats are not intended to be publicly accessible as they:

1. Are not membership-gated
2. May contain internal metadata not meant for public consumption
3. Could potentially expose sensitive information in future implementations

The vulnerability was reported by Prathap Puthran, and the Ghost team has addressed it by ensuring these fields are properly stripped from all API responses.

Performance Improvements

No specific performance improvements were included in this patch release.

Impact Summary

This security patch addresses an important vulnerability in Ghost's Content API that could potentially expose internal content formats. While there's no evidence of widespread exploitation, the fix is crucial for maintaining proper content security boundaries.

The change ensures that internal content formats (mobiledoc and lexical) are consistently protected regardless of how the Content API is queried. This maintains Ghost's security model where certain content aspects should remain internal to the system.

For most users, this update will have no visible impact on day-to-day operations. Developers who were explicitly requesting these fields through the Content API will need to adjust their code, as this access path is now properly secured.

Full Release Notes