CVE-2025-66488
📋 TL;DR
This vulnerability in Discourse allows attackers to upload HTML or XML files to S3 storage that can execute scripts in the context of the S3/CDN domain. It affects all Discourse instances using S3 for uploads with vulnerable versions. While the scripts run without site credentials, they can still perform malicious actions within the S3/CDN domain.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute malicious scripts in users' browsers when they access uploaded files, potentially leading to credential theft, session hijacking, or malware distribution through the S3/CDN domain.
Likely Case
Limited script execution within S3/CDN domain boundaries, potentially affecting user trust through malicious content delivery or limited client-side attacks.
If Mitigated
No impact if upload restrictions block HTML/XML files or if patched versions are used.
🎯 Exploit Status
Exploitation requires ability to upload files to the Discourse instance. The advisory suggests script execution is possible but limited to S3/CDN domain context.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 using your deployment method. 3. Restart the application. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict HTML/XML Uploads
allModify authorized_extensions to disallow html and xml file uploads
Edit Discourse configuration to remove 'html' and 'xml' from authorized_extensions list
🧯 If You Can't Patch
- Implement the workaround to block HTML/XML uploads immediately
- Review and delete any existing HTML/XML uploads from S3 storage
🔍 How to Verify
Check if Vulnerable:
Check Discourse version via admin panel or run: `cd /var/discourse && ./launcher status app`Check Version:
cd /var/discourse && ./launcher status app | grep versionVerify Fix Applied:
Confirm version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0+ and test that HTML/XML uploads are properly sanitized or blocked📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/XML file uploads to S3
- Failed upload attempts of restricted file types
- CDN/S3 access logs showing script execution patterns
Network Indicators:
- Requests to S3/CDN domains serving HTML/XML files from Discourse uploads
- Unexpected script loads from upload domains
SIEM Query:
source="discourse_logs" AND (file_extension="html" OR file_extension="xml") AND action="upload"