CVE-2025-9862: 
JavaScript vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Ghost's oEmbed mechanism, identified as CVE-2025-9862. The vulnerability affects Ghost versions 5.99.0 to 5.130.3 and 6.0.0 to 6.0.8, and was disclosed on September 14, 2025. The vulnerability allows staff users to exfiltrate data from internal systems through the oEmbed bookmark functionality (GitHub Advisory).

The vulnerability exists in Ghost's oEmbed mechanism where the system fails to properly validate URLs during the bookmark processing. The issue stems from using native fetch instead of SSRF-hardened externalRequest method when fetching image buffers from URLs. The vulnerability has been assigned a CVSS v4.0 score with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N, indicating moderate severity (6.1) (GitHub Security).

When exploited, this vulnerability allows staff users to access and exfiltrate data from internal systems that should not be accessible. The vulnerability specifically impacts the confidentiality of subsequent systems while the vulnerable system itself maintains its security properties (GitHub Advisory).

The vulnerability has been patched in Ghost versions 5.130.4 and 6.0.9. The fix involves replacing the native fetch with the SSRF-hardened externalRequest method and adding an eslint rule to prevent usage of fetch. Users should upgrade to these patched versions to protect against this vulnerability (GitHub Advisory).

The vulnerability was responsibly disclosed by security researcher Cristian Vargas. Ghost's security team acknowledged the finding and promptly released patches to address the vulnerability (GitHub Security).