AIKIDO-2026-10399
ghost is vulnerable to Race Condition (TOCTOU)
21
Low Risk
This Affects:
ghostTL;DR
In the comments UI (apps/comments-ui), when posting a reply (including reply-to-reply), addReply mutated the reply object and appended the new comment locally to the parent's replies array using state that could be stale. Under a race (e.g. opening multiple reply forms or rapid UI updates), the form could target stale data so the wrong parent_id was sent to the API, or the reply was merged into the wrong comment's list client-side. That could result in a reply being stored under or displayed under the wrong comment (wrong attribution). The fix passes an explicit {...reply, parent_id: parent.id} to the API and refetches all replies from the server after posting instead of appending locally, so the correct parent is used and concurrent replies from other users are reflected.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
ghost is vulnerable to Race Condition (TOCTOU) in versions 5.105.0 - 6.21.2.
How to fix this
Upgrade the ghost library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant