Login Sign Up

CVE-2025-9862

6.5 MEDIUM
SSRF

📋 TL;DR

A Server-Side Request Forgery (SSRF) vulnerability in Ghost allows attackers to make the server send requests to internal resources that should not be accessible. This affects Ghost installations from versions 6.0.0 through 6.0.8 and 5.99.0 through 5.130.3. Attackers could potentially access internal services, APIs, or cloud metadata endpoints.

💻 Affected Systems

Products:
  • Ghost CMS
Versions: 6.0.0 through 6.0.8, 5.99.0 through 5.130.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Ghost installations within affected version ranges are vulnerable regardless of configuration.

📦 What is this software?

Ghost by Ghost

View all CVEs affecting Ghost →

Ghost by Ghost

View all CVEs affecting Ghost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker accesses sensitive internal systems, cloud metadata services (exposing credentials), or performs lateral movement to critical infrastructure.

🟠

Likely Case

Attacker scans internal network, accesses internal APIs, or retrieves limited metadata from cloud services.

🟢

If Mitigated

Limited to accessing only non-sensitive internal endpoints due to network segmentation and proper access controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires some understanding of SSRF techniques and target environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v6.0.9 or later

Vendor Advisory: https://github.com/TryGhost/Ghost/security/advisories/GHSA-f7qg-xj45-w956

Restart Required: No

Instructions:

1. Backup your Ghost installation and database. 2. Update Ghost to version 6.0.9 or later using npm: 'npm update ghost'. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict Ghost server's outbound network access to only necessary external services.

Input Validation

all

Implement strict URL validation for any user-supplied URLs in custom integrations.

🧯 If You Can't Patch

  • Implement network controls to block Ghost server from accessing internal IP ranges and cloud metadata endpoints.
  • Deploy a web application firewall (WAF) with SSRF protection rules.

🔍 How to Verify

Check if Vulnerable:

Check Ghost version in admin panel or run 'ghost version' command.

Check Version:

ghost version

Verify Fix Applied:

Confirm version is 6.0.9 or later and test SSRF attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from Ghost server to internal IPs
  • Requests to cloud metadata endpoints (169.254.169.254, etc.)

Network Indicators:

  • Ghost server making unexpected HTTP requests to internal network segments

SIEM Query:

source="ghost-logs" AND (dst_ip=10.0.0.0/8 OR dst_ip=172.16.0.0/12 OR dst_ip=192.168.0.0/16 OR dst_ip=169.254.169.254)

📊 Metadata

CVE ID: CVE-2025-9862
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-918
EPSS Score: 0.01% exploit probability (1.4th percentile)
Published: September 17, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9862, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)