CVE-2025-48954
📋 TL;DR
Discourse versions before 3.5.0.beta6 are vulnerable to cross-site scripting (XSS) when social logins are used without Content Security Policy (CSP) enabled. This allows attackers to inject malicious scripts that execute in users' browsers. All Discourse instances using social logins without CSP are affected.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user devices.
Likely Case
Attackers inject malicious JavaScript to steal user credentials, session tokens, or perform limited account takeover via social login flows.
If Mitigated
With CSP enabled, script injection is blocked, preventing XSS exploitation while maintaining social login functionality.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity. The advisory suggests the vulnerability is in social login flows, which are commonly accessible without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.0.beta6
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-26p5-mjjh-wfcf
Restart Required: Yes
Instructions:
1. Update Discourse to version 3.5.0.beta6 or later. 2. Run standard Discourse update procedures. 3. Restart the application server.
🔧 Temporary Workarounds
Enable Content Security Policy
allEnable CSP headers to block XSS exploitation while maintaining social login functionality.
Enable CSP in Discourse admin settings: Admin > Settings > Security > Content Security Policy
🧯 If You Can't Patch
- Disable social logins entirely until patching is possible.
- Implement additional WAF rules to detect and block XSS payloads in social login flows.
🔍 How to Verify
Check if Vulnerable:
Check Discourse version via admin panel or run: `cd /var/discourse && ./launcher status app`Check Version:
cd /var/discourse && cat containers/app.yml | grep versionVerify Fix Applied:
Confirm version is 3.5.0.beta6 or later and CSP is enabled in security settings.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in social login request logs
- Multiple failed social login attempts with suspicious parameters
Network Indicators:
- Unexpected script tags in social login response headers
- External script loads during OAuth flows
SIEM Query:
source="discourse.logs" AND ("social-login" OR "oauth") AND ("script" OR "javascript" OR "<script>")