CVE-2025-53102
📋 TL;DR
Discourse versions before 3.4.7 and 3.5.0.beta8 have a session fixation vulnerability in WebAuthn 2FA implementation. When users authenticate with physical security keys, the server fails to clear the authentication challenge from their session, allowing potential reuse by attackers. This affects all Discourse instances using WebAuthn 2FA authentication.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could reuse WebAuthn challenges to bypass 2FA and gain unauthorized access to user accounts, potentially compromising administrative accounts and taking over the Discourse instance.
Likely Case
Attackers with access to session data could bypass 2FA for specific users, gaining unauthorized access to their accounts and potentially escalating privileges.
If Mitigated
With proper session management and monitoring, impact is limited to specific compromised sessions rather than systemic compromise.
🎯 Exploit Status
Exploitation requires access to user session data and knowledge of WebAuthn protocol. No public exploits have been reported.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.7 (stable) or 3.5.0.beta8 (tests-passed)
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to Discourse 3.4.7 or later via standard update process. 3. Restart the application. 4. Verify the fix by checking version and testing WebAuthn authentication.
🔧 Temporary Workarounds
Disable WebAuthn 2FA
allTemporarily disable WebAuthn-based 2FA authentication until patching is complete
Admin > Settings > Login > Disable 'Enable WebAuthn'
Enforce session timeout
allReduce session duration to limit window for challenge reuse
Admin > Settings > Security > Set 'Session duration' to lower value
🧯 If You Can't Patch
- Disable WebAuthn 2FA entirely and use TOTP-based 2FA instead
- Implement additional monitoring for unusual authentication patterns and session reuse
🔍 How to Verify
Check if Vulnerable:
Check Discourse version via admin panel or run: `cd /var/discourse && ./launcher status app`Check Version:
cd /var/discourse && ./launcher status app | grep 'image:'Verify Fix Applied:
Verify version is 3.4.7 or higher, then test WebAuthn authentication to confirm challenge is cleared after use📡 Detection & Monitoring
Log Indicators:
- Multiple successful WebAuthn authentications with same challenge ID
- Rapid successive authentications from same user session
Network Indicators:
- Unusual patterns of WebAuthn authentication requests
- Repeated authentication attempts with similar timing
SIEM Query:
source="discourse" AND (event="webauthn_auth" OR event="session_create") | stats count by user_id, session_id, challenge_id