CVE-2024-34451

CVSS 9.1 CRITICALEPSS 0.8%CWE-1390

In short

Ghost versions up to 5.85.1 have a flaw where attackers can bypass login attempt limits by sending multiple fake origin headers, making it easier to guess passwords through brute-force attacks.

Technical detail

Ghost fails to properly validate X-Forwarded-For headers when enforcing authentication rate limits, allowing attackers to spoof multiple client IPs and circumvent brute-force protections. This requires network access to the Ghost instance and assumes the application trusts proxy headers without validation; the impact is degraded authentication security.

Summary generated and translated by AI from the official description.

Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X-Forwarded-For headers with different values. NOTE: the vendor's position is that Ghost should be installed with a reverse proxy that allows only trusted X-Forwarded-For headers.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.google.com/document/d/1iy0X4Vc9xXYoBxFrcW6ATo8GKPV6ivuLVzn6GgEpwqE https://ghost.org/docs/faq/proxying-https-infinite-loops/https://github.com/TryGhost/Ghost/releases