CVE-2025-67723
📋 TL;DR
This CVE describes a content-security-policy-mitigated cross-site scripting (XSS) vulnerability in Discourse's Math plugin when using the KaTeX variant. Attackers could potentially inject malicious scripts that execute in users' browsers, though the impact is limited by CSP protections. All Discourse instances running affected versions with the Math plugin enabled and using KaTeX are vulnerable.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.
Likely Case
Limited script execution due to CSP restrictions, potentially allowing minor data exfiltration or UI manipulation within the constraints of the CSP policy.
If Mitigated
With proper CSP policies in place, script execution would be blocked or severely restricted, limiting the attack to policy-allowed actions only.
🎯 Exploit Status
Exploitation requires the ability to post content with mathematical notation and knowledge of CSP bypass techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379
Restart Required: Yes
Instructions:
1. Update Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or newer. 2. Restart the Discourse application. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable Math Plugin
allCompletely disable the Discourse Math plugin to eliminate the vulnerability.
Navigate to Admin > Plugins > Discourse Math > Disable
Switch to MathJax Provider
allChange the math rendering provider from KaTeX to MathJax.
Navigate to Admin > Settings > Plugins > Discourse Math > Set provider to MathJax
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Disable user-generated mathematical content or implement input validation/sanitization
🔍 How to Verify
Check if Vulnerable:
Check Discourse version and Math plugin configuration. If version is below patched versions AND Math plugin is enabled with KaTeX provider, system is vulnerable.Check Version:
Check Admin > Dashboard or run: `cd /var/discourse && ./launcher status app`Verify Fix Applied:
Verify Discourse version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or newer, and test mathematical content rendering.📡 Detection & Monitoring
Log Indicators:
- Unusual mathematical content patterns, CSP violation reports for math-related resources
Network Indicators:
- Unexpected script loads from mathematical content domains
SIEM Query:
Search for CSP violation events related to 'katex' or 'math' domains in web application logs