CVE-2025-22602
📋 TL;DR
This vulnerability allows attackers to execute arbitrary JavaScript in users' browsers by posting malicious video placeholder HTML elements in Discourse forums. Only Discourse sites with Content Security Policy (CSP) disabled are affected. Attackers can steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over forum administration, exfiltrate user data, or distribute malware to all forum visitors.
Likely Case
Attackers would steal user session cookies to hijack accounts, post spam, or redirect users to malicious sites.
If Mitigated
With CSP enabled, the attack is completely prevented as CSP blocks inline JavaScript execution.
🎯 Exploit Status
Exploitation requires posting privileges (typically registered user access). The vulnerability is straightforward to exploit once an attacker understands the video placeholder HTML injection technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version of Discourse (specific version not specified in advisory)
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-694p-c5m3
Restart Required: Yes
Instructions:
1. Update Discourse to the latest version using standard update procedures. 2. Restart the Discourse application. 3. Verify CSP remains enabled in site settings.
🔧 Temporary Workarounds
Enable Content Security Policy
allEnable CSP in Discourse settings to block inline JavaScript execution and prevent this attack.
Navigate to Admin > Settings > Security > Content Security Policy and ensure it's enabled
🧯 If You Can't Patch
- Enable Content Security Policy (CSP) immediately in Discourse settings
- Restrict posting privileges to trusted users only and monitor for suspicious posts
🔍 How to Verify
Check if Vulnerable:
Check if CSP is disabled in Discourse settings AND version is older than patched releaseCheck Version:
Check Discourse admin dashboard or run: `cd /var/discourse && ./launcher status app`Verify Fix Applied:
Verify Discourse is updated to latest version AND CSP is enabled in settings📡 Detection & Monitoring
Log Indicators:
- Unusual posts containing video placeholder HTML elements
- Multiple failed CSP violation reports if CSP is enabled
Network Indicators:
- Outbound connections to unexpected domains from forum pages
- Suspicious JavaScript execution patterns
SIEM Query:
Search for posts containing unusual video or iframe HTML elements, especially with JavaScript event handlers