CVE-2025-53102

CRITICAL

Discourse <3.4.7-3.5.0.beta.8 - Info Disclosure

Title source: llm

Description

Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.

References (3)

[Third Party Advisory] https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv

[Patch] https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802

[Patch] https://github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05beb

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0009

EPSS Percentile 24.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-384

Status published

Products (3)

discourse/discourse 3.5.0 beta1 (7 CPE variants)

discourse/discourse < 3.4.6

discourse/discourse < 3.5.0

Published Jul 29, 2025

Tracked Since Feb 18, 2026