SB2025060974 - Multiple vulnerabilities in Discourse
Published: June 9, 2025 Updated: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2025-48053)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in bot private message URL handling when processing a malicious URL sent in a private message to a bot user. A remote user can send a specially crafted private message containing a malicious URL to cause a denial of service.
2) Cross-site scripting (CVE-ID: CVE-2025-48062)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject HTML into the email body and disclose sensitive information.
The vulnerability exists due to improper neutralization of input during web page generation in invite email templates when including a topic title containing HTML in invitation emails. A remote user can invite someone to a private message or to a topic with a custom message using a crafted topic title to inject HTML into the email body and disclose sensitive information.
The issue affects certain invitations sent to recipients without an account.
3) Cross-site scripting (CVE-ID: CVE-2025-48877)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the iframe scope.
The vulnerability exists due to improper neutralization of active content in embedded CodePen iframe handling when rendering user-supplied embedded CodePen content. A remote user can include a crafted CodePen embed to execute arbitrary JavaScript in the iframe scope.
The issue is related to CodePen being present in the default allowed_iframes site setting.
Remediation
Install update from vendor's website.