AIKIDO-2025-10494
ghost is vulnerable to Insufficient Visual Distinction of Homoglyphs Presented to User
17
Low Risk
This Affects:
ghostTL;DR
Affected versions of the package are vulnerable to homoglyph attacks due to insufficient normalization of email addresses. Specifically, the package does not convert Unicode characters in the domain part of email addresses to their ASCII-compatible equivalents. This oversight allows attackers to craft visually deceptive email addresses using Unicode characters that closely resemble legitimate ones (e.g., replacing "example.com" with "exаmple.com", where the "a" is a Cyrillic character). Such homoglyph attacks can be used in phishing, impersonation, or account spoofing scenarios. The patch addresses this issue by introducing a new email normalization utility that converts the domain portion of email addresses to ASCII using Punycode. This ensures that visually similar but technically distinct domain names are treated consistently and securely, reducing the risk of deception or misuse.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
ghost is vulnerable to Insufficient Visual Distinction of Homoglyphs Presented to User in versions 0.1.0 - 5.130.1.
How to fix this
Upgrade the ghost library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant