CVE-2023-32235
published 2023-05-05CVE-2023-32235: Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.08%
98.4th percentile
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ghost | ghost | < 5.42.1 | 5.42.1 |
| ghost | ghost | >= 0 < 5.42.1 | 5.42.1 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
matchers: word body contains '"name"' AND '"version"' AND '"ghost"'; header contains 'application/json'; status 200 on path /assets/built%2F..%2F..%2F/package.json
- →Detect path traversal attempts against Ghost CMS by monitoring HTTP GET requests containing the encoded traversal sequence '%2F..%2F..%2F' in the URL path under /assets/built/. ↗
- →Flag HTTP 200 responses with Content-Type 'application/json' to requests matching /assets/built%2F..%2F..%2F/* as successful exploitation indicators. ↗
- →Shodan queries 'http.component:"Ghost"' and 'http.component:"ghost"' can be used to identify internet-exposed Ghost CMS instances for proactive scanning. ↗
- →Monitor for bypass encoding variants in the traversal path, including double URL encoding (%252f), overlong UTF-8 (%c0%af), and mixed encoding (.%2e/) targeting /assets/built/. ↗
- →Sensitive file targets in exploitation include config.production.json, config.development.json, and .env — alert on traversal requests resolving to these filenames. ↗
- ·The vulnerability is fixed in Ghost version 5.42.1; instances running versions prior to this are affected. The vulnerable code path is specifically in frontend/web/middleware/static-theme.js. ↗
- ·The traversal is scoped to the active theme's folder, not the full filesystem root — file reads outside the theme directory may require additional traversal depth depending on theme installation path. ↗
- ·The Nuclei template uses stop-at-first-match with two probe URLs; the second probe uses a malformed encoding (%E0%A4%A) as a bypass variant — detection logic should account for both standard and malformed encoded traversal sequences. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Path Traversal in Ghost
osv·2023-05-05
CVE-2023-32235 [HIGH] Path Traversal in Ghost
Path Traversal in Ghost
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
GHSA
Path Traversal in Ghost
ghsa·2023-05-05
CVE-2023-32235 [HIGH] CWE-22 Path Traversal in Ghost
Path Traversal in Ghost
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
VulnCheck
ghost ghost Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 7.5
CVE-2023-32235 [HIGH] ghost ghost Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ghost ghost Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
Affected: ghost ghost
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-32235; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-20&host_type=src&vulnerability=cve-2023-32235; https://dashboard.shadowse
No detection rules found.
Exploit-DB
Ghost CMS 5.42.1 - Path Traversal
exploitdb·2025-08-11·CVSS 7.5
CVE-2023-32235 [HIGH] Ghost CMS 5.42.1 - Path Traversal
Ghost CMS 5.42.1 - Path Traversal
---
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
# Exploit Title: Ghost CMS 5.42.1 - Path Traversal
# Date: 2023-06-15
# Exploit Author:ibrahimsql (https://github.com/ibrahimsql)
# Vendor Homepage: https://ghost.org
# Software Link: https://github.com/TryGhost/Ghost
# Version: =2.28.1
"""
import requests
import sys
import urllib.parse
from typing import Dict, List, Tuple, Optional
class ExploitResult:
def __init__(self):
self.success = False
self.payload = ""
self.response = ""
self.status_code = 0
self.description = "Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built/../..// directory traversal"
self.severity = "High"
class PathTraversalExploit:
def __init__(self, target_url: s
Nuclei
Ghost CMS < 5.42.1 - Path Traversal
nuclei·CVSS 7.5
CVE-2023-32235 [HIGH] Ghost CMS < 5.42.1 - Path Traversal
Ghost CMS < 5.42.1 - Path Traversal
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
Template:
id: CVE-2023-32235
info:
name: Ghost CMS < 5.42.1 - Path Traversal
author: j3ssie
severity: high
description: |
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
impact: |
An attacker can exploit this vulnerability to access sensitive files on the server, potentially leading to unauthorized disclosure of sensitive information.
remediation: Fixed in version 5.42.1
reference:
- h
2023-05-05
Published
Exploited in the wild