CVE-2025-48062
📋 TL;DR
This vulnerability allows HTML injection in Discourse email invitations when topic titles contain HTML. Attackers can inject malicious HTML into email bodies sent to users without accounts, potentially leading to phishing or other email-based attacks. All Discourse instances running vulnerable versions are affected.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could embed malicious scripts or phishing content in invitation emails, potentially compromising user accounts or systems through social engineering attacks.
Likely Case
Attackers inject HTML content into invitation emails, potentially enabling phishing attempts or content spoofing against recipients.
If Mitigated
With proper email security controls and user awareness, the impact is limited to visual content manipulation in emails.
🎯 Exploit Status
Requires ability to create topics with HTML in titles and send invitations, but no authentication bypass is needed beyond normal user permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Stable: 3.4.4, Beta: 3.5.0.beta5, Tests-passed: 3.5.0.beta6-dev
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-x8mp-chx3-6x2p
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to patched version using Discourse update commands. 3. Restart the application. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Template Override Workaround
allOverride relevant email templates without using {topic_title} variable to prevent HTML injection.
Modify email templates to remove or sanitize {topic_title} variable
🧯 If You Can't Patch
- Disable email invitations for users without accounts
- Implement email content filtering to strip HTML from outgoing invitation emails
🔍 How to Verify
Check if Vulnerable:
Check Discourse version against affected versions. Test by creating a topic with HTML in title and sending invitation to non-user email.Check Version:
Check Discourse admin panel or run: `cd /var/discourse && ./launcher status app`Verify Fix Applied:
After patching, test that HTML in topic titles no longer renders in invitation emails.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML patterns in email invitation logs
- Multiple invitation emails sent to non-users
Network Indicators:
- Outgoing emails with unexpected HTML content
- Email headers showing HTML injection attempts
SIEM Query:
Search for email invitation events with HTML content in topic titles or unusual HTML patterns in email bodies.