CVE-2025-48954
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-09-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 3.5.0 (exc) |
| discourse | discourse | 3.5.0 |
| discourse | discourse | 3.5.0 |
| discourse | discourse | 3.5.0 |
| discourse | discourse | 3.5.0 |
| discourse | discourse | 3.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48954 is a high-severity Cross-Site Scripting (XSS) vulnerability in Discourse versions prior to 3.5.0.beta6. It occurs due to improper sanitization of user-provided query parameters during the OAuth failure flow, which allows attackers to inject malicious scripts if the Content Security Policy (CSP) is not enabled. This can lead to unauthorized script execution in users' browsers. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in your users' browsers, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of users. It affects confidentiality and integrity but does not impact availability. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should enable the Content Security Policy (CSP) on your Discourse installation. Additionally, upgrading Discourse to version 3.5.0.beta6 or later will patch the issue. [1]