CVE-2025-48877
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-09

Last updated on: 2025-09-25

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-09
Last Modified
2025-09-25
Generated
2026-05-07
AI Q&A
2025-06-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-48877
EUVD
EUVD-2025-17469
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
discourse discourse to 3.4.4 (exc)
discourse discourse to 3.5.0 (exc)
discourse discourse 3.5.0
discourse discourse 3.5.0
discourse discourse 3.5.0
discourse discourse 3.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1038 The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Discourse platform involves the embedded CodePen iframe being included by default in the 'allowed_iframes' site setting in certain versions. This allows CodePen to potentially auto-run arbitrary JavaScript within the iframe scope without user consent, which is unintended behavior. It affects stable versions before 3.4.4, beta versions before 3.5.0.beta5, and tests-passed versions before 3.5.0.beta5. The issue is fixed by removing or updating the CodePen prefix in the allowed_iframes setting in patched versions. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing third-party CodePen content to automatically execute arbitrary JavaScript within the iframe scope on your Discourse site without explicit user consent. This could lead to unintended script execution, potentially compromising site security or user data depending on the malicious code run. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking the Discourse site's 'allowed_iframes' setting to see if it includes the CodePen prefix, which allows auto-running arbitrary JavaScript. There are no specific commands provided, but inspecting the site settings configuration or querying the Discourse database or admin interface for the 'allowed_iframes' value would help identify if CodePen is enabled. [1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, remove the CodePen prefix from the 'allowed_iframes' site setting in your Discourse installation. Alternatively, upgrade your Discourse instance to version 3.4.4 or later on the stable branch, 3.5.0.beta5 or later on the beta branch, or 3.5.0.beta6-dev or later on the tests-passed branch, where this issue is patched. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart