Ghost Release: 5.74.5

TL;DR

Ghost v5.74.5 Security Update

This release addresses a critical security vulnerability that could allow themes to read arbitrary files from your system and expose them to the internet. The fix restricts file reading to only the theme directory, preventing potential exposure of sensitive configuration files and secrets. This update is particularly important for Ghost hosting providers who store sensitive configuration data on their servers.

Highlight of the Release

• Fixed critical security vulnerability that could expose sensitive configuration files
• Restricted theme file reading to only the theme directory
• Protected against potential exposure of secret keys and credentials

Migration Guide

No migration steps are required for this update. Simply update to v5.74.5 to apply the security fix.

If you are a theme developer and have created themes that intentionally reference files outside the theme directory (which would be unusual and not recommended), you will need to modify your theme to work within the new security constraints.

Upgrade Recommendations

Immediate Update Recommended

This is a critical security update that all Ghost installations should apply immediately, especially those in production environments.

The vulnerability could potentially expose sensitive configuration data including database credentials, API keys, and other secrets. Hosting providers are particularly at risk and should prioritize this update.

To upgrade:

1. Back up your Ghost installation
2. Follow the standard Ghost update procedure for your installation method
3. Verify your site is functioning correctly after the update

No configuration changes are required after updating.

Bug Fixes

No general bug fixes were included in this release. The changes were specifically focused on addressing the security vulnerability.

New Features

No new features were added in this release. This is a security-focused update that addresses a specific vulnerability in the theme system.

Security Updates

Theme Directory File Access Restriction

This release fixes a critical security vulnerability that allowed themes to read arbitrary files from the server's file system and potentially expose them to the internet via the layout feature of express-hbs.

Previously, a theme could include template syntax like {{!< ../../../../config.production.json}} which would read and output configuration files that might contain sensitive information such as:

• Database credentials
• Mail server API keys
• Other secret tokens and keys

The fix restricts file reading operations to only the theme directory, preventing access to files outside this boundary.

While theme upload is restricted to users with the Admin role, this vulnerability was particularly concerning for hosting providers who store sensitive configuration data on their servers.

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

This security update addresses a significant vulnerability in Ghost's theme system that could allow malicious themes to access and expose sensitive configuration files from anywhere on the server. The fix restricts file reading to only the theme directory, protecting against potential data breaches.

The impact is most significant for Ghost hosting providers who typically store sensitive configuration data on their servers. Since theme upload is restricted to Admin users, the risk for self-hosted single-site installations is lower but still present if an Admin account is compromised or if a malicious theme is installed.

This update demonstrates Ghost's commitment to security and protecting user data. The quick response to this vulnerability helps maintain trust in the platform for content creators, businesses, and hosting providers alike.

Full Release Notes