CVE-2023-32235

Vulnerability

The vulnerability exists in Ghost's static theme middleware (frontend/web/middleware/static-theme.js). The isAllowedFile function checks if a requested file path starts with /assets/ but does not decode URL-encoded characters before validation. By using %2F (encoded /) and .. sequences like /assets/built%2F..%2F..%2F, an attacker can bypass the directory restriction and access files outside the intended /assets/ folder [1]. The root cause is a missing decodeURIComponent call before path normalization [2].

Exploitation

An unauthenticated remote attacker can craft a GET request to a URL such as /assets/built%2F..%2F..%2Fpackage.json to read the theme's package.json file. No special privileges or network position is required; the attack is accomplished via a simple HTTP request [1]. The encoded traversal sequences pass the prefix check because the raw string still begins with /assets/, and only after decoding does the path escape the allowed directory [2].

Impact

Successful exploitation allows an attacker to read any file within the active theme's folder. This can include configuration files, templates, or other sensitive data that might expose API keys, database credentials, or proprietary theme logic. The vulnerability does not allow arbitrary file read outside the theme folder, but the theme folder may contain critical secrets [1][2].

Mitigation

The issue is fixed in Ghost version 5.42.1. The patch introduces a decode function that decodes URL-encoded characters and then normalizes the path before checking the allowed prefix [2]. Users running Ghost should upgrade to 5.42.1 or later immediately [4]. No workarounds are available.