CVE-2025-48877

Summary

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowed_iframes site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch. As a workaround, the Codepen prefix can be removed from a site's allowed_iframes.

Affected Software

VendorProductVersion RangeStatus
discoursediscourse< 3.4.4affected
discoursediscourse< 3.5.0.beta5affected
discoursediscourse< 3.5.0.beta6-devaffected

Weaknesses

  • CWE-1038: CWE-1038: Insecure Automated Optimizations

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References