CVE-2025-53102

Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802	Patch
https://github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05beb	Patch
https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse:::::stable:::*
	cpe:2.3:a:discourse:discourse:::::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta1:::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta2:::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta3:::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta4:::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta5:::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta6:::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta7:::beta:::*

History

No history.

Information

Published : 2025-07-29 20:15

Updated : 2025-08-25 17:47

NVD link : CVE-2025-53102

Mitre link : CVE-2025-53102

CVE.ORG link : CVE-2025-53102

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-384

Session Fixation

{"id": "CVE-2025-53102", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-29T20:15:28.327", "references": [{"url": "https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05beb", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user\u2019s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n comunitaria de c\u00f3digo abierto. Antes de la versi\u00f3n 3.4.7 en la rama \"stable\" y la versi\u00f3n 3.5.0.beta.8 en la rama \"tests-passed\", al emitir una clave de seguridad f\u00edsica para 2FA, el servidor generaba un desaf\u00edo de WebAuthn, que el cliente firmaba. El desaf\u00edo no se borraba de la sesi\u00f3n del usuario despu\u00e9s de la autenticaci\u00f3n, lo que podr\u00eda permitir la reutilizaci\u00f3n y aumentar el riesgo de seguridad. Esto se solucion\u00f3 en las versiones 3.4.7 y 3.5.0.beta.8."}], "lastModified": "2025-08-25T17:47:56.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*", "vulnerable": true, "matchCriteriaId": "80C9BF5A-CF58-47C8-8972-8E72B5AE2F75", "versionEndExcluding": "3.4.6"}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "73CCF1CA-974D-46FC-AC27-08119E603047", "versionEndIncluding": "3.5.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta1:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "66931995-F794-48F0-9DBB-9048B6C9D8DD"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta2:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "B0461B93-273C-4305-80F9-C70A100B4DFE"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta3:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "F1596D4E-FD8B-4443-AAAE-1D4AC6B1CE6D"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta4:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "997761D0-A8A1-438F-83DE-5E9E4890CEED"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta5:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "685B6537-929A-4DC9-8984-E114C5CB6E77"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta6:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "D9D71C7F-CDE7-41DE-84DF-ACE62AD829B2"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.5.0:beta7:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "7406D79F-ADD6-4AA6-95C9-7CC3EB19DFC8"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}