CVE-2025-48954
Published: 25 June 2025
Summary
CVE-2025-48954 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Discourse Discourse. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Discourse, an open-source discussion platform, is affected by CVE-2025-48954, a cross-site scripting vulnerability (CWE-79) present in versions prior to 3.5.0.beta6. The flaw manifests specifically when the content security policy is disabled and social logins are in use, allowing attacker-controlled content to execute in users' browsers. The issue carries a CVSS 3.1 score of 8.1, reflecting network attack vector, low complexity, no required privileges, and required user interaction.
An unauthenticated attacker can exploit the vulnerability by crafting a malicious social-login flow that injects scripts into the Discourse instance. Successful exploitation grants the ability to read sensitive data and perform actions on behalf of the victim user, resulting in high impact to confidentiality and integrity without affecting availability.
The official advisory at https://github.com/discourse/discourse/security/advisories/GHSA-26p5-mjjh-wfcf states that version 3.5.0.beta6 contains the fix. As a workaround, administrators are advised to enable the content security policy until the update can be applied.
EPSS for the CVE reached a peak of 0.1558 after disclosure before settling at the current value of 0.1012, indicating emerging exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28274
Vulnerability details
Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.