CVE-2023-32235 Overview
CVE-2023-32235 is a path traversal vulnerability affecting Ghost CMS versions prior to 5.42.1. This vulnerability allows remote attackers to read arbitrary files within the active theme's folder by exploiting improper path handling in the static theme middleware. The attack leverages URL-encoded directory traversal sequences (/assets/built%2F..%2F..%2F/) to bypass path restrictions and access sensitive files that should not be publicly accessible.
Critical Impact
Remote attackers can read arbitrary files within the active theme's folder without authentication, potentially exposing sensitive configuration files, custom templates, and theme-specific data stored within Ghost CMS themes.
Affected Products
- Ghost CMS versions prior to 5.42.1
- Ghost CMS for Node.js (all platforms)
- Self-hosted Ghost installations using vulnerable theme middleware
Discovery Timeline
- 2023-05-05 - CVE-2023-32235 published to NVD
- 2025-01-29 - Last updated in NVD database
Technical Details for CVE-2023-32235
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in Ghost CMS's static theme file serving middleware, specifically located in frontend/web/middleware/static-theme.js. The vulnerability stems from insufficient input validation when processing URL-encoded path segments in file requests.
When a user requests a static asset from a Ghost theme, the middleware processes the file path without properly decoding and validating URL-encoded characters before checking for directory traversal attempts. An attacker can use encoded path separators like %2F (which decodes to /) combined with .. sequences to escape the intended /assets/built/ directory and access other files within the theme folder.
The attack is particularly effective because the path validation occurs before URL decoding, allowing the encoded traversal sequences to bypass security checks. Once the path reaches the file system, the encoded characters are decoded, resulting in actual directory traversal.
Root Cause
The root cause of this vulnerability is the improper order of operations in path validation. The middleware checks for directory traversal patterns on the raw URL-encoded input rather than first decoding the URL components. This allows attackers to evade pattern matching by encoding special characters like forward slashes (/ → %2F) and periods.
The vulnerable code path fails to call decodeURIComponent() on the file path before performing security validations, creating a classic URL encoding bypass scenario common in path traversal vulnerabilities.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker crafts a malicious HTTP request to the Ghost CMS server using URL-encoded directory traversal sequences:
GET /assets/built%2F..%2F..%2Fpartials%2Fdefault.hbs HTTP/1.1
Host: vulnerable-ghost-site.com
This request appears to target the /assets/built/ directory but after URL decoding resolves to /assets/built/../../partials/default.hbs, which traverses up from the built assets folder and accesses other theme files.
The security patch implements proper URL decoding before path validation:
return deniedFiles.includes(base) || deniedFileTypes.includes(ext);
}
+/**
+ * Copy from:
+ * https://github.com/pillarjs/send/blob/b69cbb3dc4c09c37917d08a4c13fcd1bac97ade5/index.js#L987-L1003
+ *
+ * Allows V8 to only deoptimize this fn instead of all
+ * of send().
+ *
+ * @param {string} filePath
+ * @returns {string|number} returns -1 number if decode decodeURIComponent throws
+ */
+function decode(filePath) {
+ try {
+ return decodeURIComponent(filePath);
+ } catch (err) {
+ return -1;
+ }
+}
+
+/**
+ *
+ * @param {string} file path to a requested file
+ * @returns {boolean}
+ */
function isAllowedFile(file) {
+ const decodedFilePath = decode(file);
+ if (decodedFilePath === -1) {
+ return false;
Source: GitHub Commit Update
Detection Methods for CVE-2023-32235
Indicators of Compromise
- HTTP requests containing URL-encoded path traversal sequences like %2F..%2F or %2F..%2F..%2F targeting /assets/ endpoints
- Unusual access patterns to theme files outside the /assets/built/ directory
- Web server logs showing requests with encoded directory traversal patterns
- Abnormal file access attempts logged by the Ghost CMS application
Detection Strategies
- Implement web application firewall (WAF) rules to detect URL-encoded path traversal attempts in request URIs
- Monitor HTTP access logs for requests containing %2F..%2F sequences targeting static asset endpoints
- Deploy intrusion detection system (IDS) signatures for encoded directory traversal patterns
- Enable verbose logging in Ghost CMS to capture suspicious file access requests
Monitoring Recommendations
- Configure log aggregation to alert on requests containing encoded traversal sequences
- Monitor Ghost CMS theme folder access patterns for anomalous file reads
- Implement rate limiting on asset requests to slow potential automated scanning
- Review web server access logs periodically for path traversal attack signatures
How to Mitigate CVE-2023-32235
Immediate Actions Required
- Upgrade Ghost CMS to version 5.42.1 or later immediately
- Review web server logs for evidence of exploitation attempts using encoded path traversal
- Audit theme folder contents to identify any sensitive files that may have been exposed
- Implement WAF rules to block URL-encoded path traversal attempts as an interim measure
Patch Information
The Ghost development team has released version 5.42.1 which addresses this vulnerability. The fix implements proper URL decoding of file paths before performing path validation checks, preventing the bypass of security controls through encoding tricks.
Upgrade using the Ghost-CLI tool:
ghost update
For detailed changes between the vulnerable and patched versions, see the GitHub Version Comparison.
Workarounds
- Deploy a reverse proxy or WAF configured to decode and inspect URLs before forwarding to Ghost CMS
- Implement URL normalization rules at the web server level to reject requests containing encoded traversal sequences
- Restrict direct access to the Ghost application by using a CDN with built-in path traversal protections
- Consider temporarily disabling custom themes and using default themes until patching is complete
# Nginx configuration to block encoded path traversal
location /assets/ {
# Decode and check for traversal attempts
if ($request_uri ~* "%2[fF]\.\.%2[fF]") {
return 403;
}
# Additional path normalization
rewrite ^/assets/(.*)$ /assets/$1 break;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
