CVE-2025-9862: Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
(updated )
A vulnerability in Ghost’s oEmbed mechanism allows staff users to exfiltrate data from internal systems via SSRF.
References
- fluidattacks.com/advisories/regida
- github.com/TryGhost/Ghost
- github.com/TryGhost/Ghost/commit/01d64c7c0ffbf90cd036195c60ded6d08077d612
- github.com/TryGhost/Ghost/commit/ffe9d079afa68557c581d224f1ff126e625b06e3
- github.com/TryGhost/Ghost/releases/tag/v6.0.9
- github.com/TryGhost/Ghost/security/advisories/GHSA-f7qg-xj45-w956
- github.com/advisories/GHSA-f7qg-xj45-w956
- nvd.nist.gov/vuln/detail/CVE-2025-9862
Code Behaviors & Features
Detect and mitigate CVE-2025-9862 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →