CVE-2025-9862: Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark

The analysis of the security advisory and the associated commits points to a Server-Side Request Forgery (SSRF) vulnerability within the oEmbed feature of Ghost, specifically when handling bookmarks. The vulnerability, identified as GHSA-f7qg-xj45-w956, allowed authenticated staff users to make the Ghost server issue requests to arbitrary internal services.

The root cause was located in the fetchImageBuffer method of the OEmbedService class. The initial investigation focused on the provided patch commits. Commit 01d64c7c0ffbf90cd036195c60ded6d08077d612 directly addresses the SSRF issue. The diff for ghost/core/core/server/services/oembed/OEmbedService.js clearly shows that the native fetch() call, which does not have any restrictions on the target URL, was replaced by this.externalRequest(). This new method, defined in ghost/core/core/server/lib/request-external.js, is a hardened version of a request client that includes checks to prevent requests to private or local IP addresses, thus mitigating the SSRF risk.

The exploitation scenario involves a staff user creating a bookmark of a malicious URL. When Ghost's backend attempts to generate a preview for this bookmark, it fetches the URL, parses its oEmbed metadata (like og:image), and then uses the vulnerable fetchImageBuffer function to download the specified image. By crafting the og:image URL to point to an internal resource (e.g., http://127.0.0.1:5555/secret-file), an attacker could trick the server into fetching and potentially exposing internal data. The added E2E test in the patch confirms this exact attack vector.

Therefore, the primary vulnerable function is OEmbedService.fetchImageBuffer, as it was the entry point for the unauthorized internal request.