N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-9862

GHSA ID

GHSA-f7qg-xj45-w956

EPSS Score

0.15848%

CWE

CWE-918

Published

9/15/2025

Updated

9/15/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-9862

CVE-2025-9862: Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark

Impact

A vulnerability in Ghost's oEmbed mechanism allows staff users to exfiltrate data from internal systems via SSRF.

Vulnerable versions

This vulnerability is present in Ghost v5.99.0 to v5.130.3 to and Ghost v6.0.0 to v6.0.8.

Patches

v5.130.4 and v6.0.9 contain a fix for this issue.

References

The original report will be available here: https://help.fluidattacks.com/portal/en/kb/articles/regida

We thank Cristian Vargas for discovering and disclosing this vulnerability responsibly.

For more information

If you have any questions or comments about this advisory, email us at security@ghost.org.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-9862

CVE-2025-9862:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-9862

GHSA ID

GHSA-f7qg-xj45-w956

EPSS Score

0.15848%

CWE

CWE-918

Published

9/15/2025

Updated

9/15/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ghost	npm	>= 6.0.0, <= 6.0.8	6.0.9
ghost	npm	>= 5.99.0, <= 5.130.3	5.130.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security advisory and the associated commits points to a Server-Side Request Forgery (SSRF) vulnerability within the oEmbed feature of Ghost, specifically when handling bookmarks. The vulnerability, identified as GHSA-f7qg-xj45-w956, allowed authenticated staff users to make the Ghost server issue requests to arbitrary internal services.

The root cause was located in the fetchImageBuffer method of the OEmbedService class. The initial investigation focused on the provided patch commits. Commit 01d64c7c0ffbf90cd036195c60ded6d08077d612 directly addresses the SSRF issue. The diff for ghost/core/core/server/services/oembed/OEmbedService.js clearly shows that the native fetch() call, which does not have any restrictions on the target URL, was replaced by this.externalRequest(). This new method, defined in ghost/core/core/server/lib/request-external.js, is a hardened version of a request client that includes checks to prevent requests to private or local IP addresses, thus mitigating the SSRF risk.

The exploitation scenario involves a staff user creating a bookmark of a malicious URL. When Ghost's backend attempts to generate a preview for this bookmark, it fetches the URL, parses its oEmbed metadata (like og:image), and then uses the vulnerable fetchImageBuffer function to download the specified image. By crafting the og:image URL to point to an internal resource (e.g., http://127.0.0.1:5555/secret-file), an attacker could trick the server into fetching and potentially exposing internal data. The added E2E test in the patch confirms this exact attack vector.

Therefore, the primary vulnerable function is OEmbedService.fetchImageBuffer, as it was the entry point for the unauthorized internal request.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-9862: Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark

Impact

Vulnerable versions

Patches

References

For more information

CVE-2025-9862:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-9862: Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark

Impact

Vulnerable versions

Patches

References

For more information

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI