Context

Ghost has had file upload security incidents in the past — CVE-2023-40028
(symlink in ZIP), CVE-2024-23724 (SVG XSS via upload). While those specific
issues were about path traversal and sanitization, they highlight that the
upload pipeline is a security-relevant surface.

One layer that's currently missing is malware scanning — a user with
upload access can send a malicious binary, macro-infected document or
trojanized archive that then gets served to other users or admins.

Proposed addition

pompelmi is a zero-dependency
Node.js/TypeScript wrapper around ClamAV that could be added as an opt-in
scanning step in the upload middleware:

import pompelmi from 'pompelmi';

// In upload middleware, before saving to storage
const result = await pompelmi.scan(req.file.path);
if (result === 'Malicious') {
  return res.status(400).json({ error: 'File rejected: malware detected' });
}

Why opt-in? ClamAV is not always available in Ghost's hosting
environments (Ghost Pro, shared hosting). Making this an optional config
flag (scanning.enabled: true) would let self-hosters and enterprise
users enable it without affecting the default setup.

Zero runtime dependencies, TypeScript-native, Docker TCP mode supported.

Repo: https://github.com/pompelmi/pompelmi
Site: https://pompelmi.app/