Login Sign Up

CVE-2025-48877

9.8 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability in Discourse allows attackers to execute arbitrary JavaScript within iframes when Codepen is included in the allowed_iframes setting. It affects all Discourse instances using vulnerable versions, potentially enabling cross-site scripting attacks against users viewing malicious content.

💻 Affected Systems

Products:
  • Discourse
Versions: Stable branch before 3.4.4, beta branch before 3.5.0.beta5, tests-passed branch before 3.5.0.beta6-dev
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable by default when Codepen is in allowed_iframes setting

📦 What is this software?

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in users' browsers, leading to session hijacking, credential theft, or complete account compromise.

🟠

Likely Case

Cross-site scripting attacks that steal session cookies or perform unauthorized actions on behalf of authenticated users.

🟢

If Mitigated

Limited impact with proper content security policies and iframe sandboxing, though some risk remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (viewing malicious content) but no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Stable: 3.4.4, Beta: 3.5.0.beta5, Tests-passed: 3.5.0.beta6-dev

Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-cm93-6m2m-cjcv

Restart Required: Yes

Instructions:

1. Update Discourse to patched version using your deployment method (Docker, manual, etc.) 2. Restart the application 3. Verify version is updated

🔧 Temporary Workarounds

Remove Codepen from allowed_iframes

all

Remove Codepen prefix from the allowed_iframes site setting to prevent exploitation

Navigate to Admin > Settings > allowed_iframes and remove any Codepen entries

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to restrict iframe execution
  • Monitor for suspicious iframe usage and Codepen-related activity in logs

🔍 How to Verify

Check if Vulnerable:

Check Discourse version and verify if Codepen is in allowed_iframes setting

Check Version:

Check Discourse admin panel or run: docker exec discourse cat /app/VERSION

Verify Fix Applied:

Confirm version is patched and Codepen is removed from allowed_iframes or patched version prevents auto-execution

📡 Detection & Monitoring

Log Indicators:

  • Unusual iframe usage patterns
  • Codepen-related iframe requests in access logs

Network Indicators:

  • Unexpected iframe content loading from external domains

SIEM Query:

web_logs | where url contains "codepen.io" and user_agent contains discourse

📊 Metadata

CVE ID: CVE-2025-48877
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1038
EPSS Score: 0.12% exploit probability (30.6th percentile)
Published: June 9, 2025
Last Updated: September 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48877, you might also want to check these:

CVE-2023-52969 4.9

This vulnerability in MariaDB Server can cause the database to crash under certain conditions, poten...

Same vulnerability type (CWE-1038)
CVE-2023-52971 4.9

A denial-of-service vulnerability in MariaDB Server causes crashes when processing certain JOIN quer...

Same vulnerability type (CWE-1038)