cbcvebase.
CVE-2023-32235
published 2023-05-05

CVE-2023-32235: Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.08%
98.4th percentile
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.

Affected

2 ranges
VendorProductVersion rangeFixed in
ghostghost< 5.42.15.42.1
ghostghost>= 0 < 5.42.15.42.1

Detection & IOCsextracted from sources · hover to see the quote

url/assets/built%2F..%2F..%2F/package.json
url/assets/built%2F..%2F..%2F%E0%A4%A/package.json
path/assets/built%2F..%2F..%2F/
pathfrontend/web/middleware/static-theme.js
sigma
matchers: word body contains '"name"' AND '"version"' AND '"ghost"'; header contains 'application/json'; status 200 on path /assets/built%2F..%2F..%2F/package.json
  • Detect path traversal attempts against Ghost CMS by monitoring HTTP GET requests containing the encoded traversal sequence '%2F..%2F..%2F' in the URL path under /assets/built/.
  • Flag HTTP 200 responses with Content-Type 'application/json' to requests matching /assets/built%2F..%2F..%2F/* as successful exploitation indicators.
  • Shodan queries 'http.component:"Ghost"' and 'http.component:"ghost"' can be used to identify internet-exposed Ghost CMS instances for proactive scanning.
  • Monitor for bypass encoding variants in the traversal path, including double URL encoding (%252f), overlong UTF-8 (%c0%af), and mixed encoding (.%2e/) targeting /assets/built/.
  • Sensitive file targets in exploitation include config.production.json, config.development.json, and .env — alert on traversal requests resolving to these filenames.
  • ·The vulnerability is fixed in Ghost version 5.42.1; instances running versions prior to this are affected. The vulnerable code path is specifically in frontend/web/middleware/static-theme.js.
  • ·The traversal is scoped to the active theme's folder, not the full filesystem root — file reads outside the theme directory may require additional traversal depth depending on theme installation path.
  • ·The Nuclei template uses stop-at-first-match with two probe URLs; the second probe uses a malformed encoding (%E0%A4%A) as a bypass variant — detection logic should account for both standard and malformed encoded traversal sequences.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.