CVE-2024-54142: Discourse AI Plugin XSS Vulnerability

CVE-2024-54142 Overview

CVE-2024-54142 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Discourse AI plugin, which provides AI features for the Discourse discussion platform. When a Discourse AI Bot conversation containing HTML entities was shared into posts, those entities could leak into the Discourse application through the onebox preview rendered for the shared conversation. Any user visiting a post containing the malicious onebox would execute the injected content within the Discourse origin. The maintainers addressed the issue in commit 92f122c. Site administrators unable to update can remove all groups from the ai bot public sharing allowed groups site setting as a workaround.

Critical Impact
Authenticated attackers with sharing permissions can inject HTML and script content into onebox previews, executing arbitrary JavaScript in the browser of any user who views the affected post.

Affected Products

Discourse AI plugin (versions prior to commit 92f122c)
Discourse instances with the AI Bot enabled
Discourse sites that permit public sharing of AI Bot conversations

Discovery Timeline

2025-01-14 - CVE-2024-54142 published to the National Vulnerability Database (NVD)
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-54142

Vulnerability Analysis

The Discourse AI plugin lets users share AI Bot conversations as posts. When another post references that shared conversation URL, Discourse renders a local onebox preview that summarizes the conversation content. The plugin built the onebox HTML by extracting excerpts from cooked post content and concatenating them directly into an HTML string. The excerpt routine was invoked with text_entities: true, which preserved HTML entities from the source content rather than escaping them for safe HTML output. As a result, an attacker-controlled conversation could inject markup that survived rendering and executed in the context of the Discourse application.

Root Cause

The root cause is improper output neutralization in the html_excerpt method of shared_ai_conversation.rb. The call to PrettyText.excerpt used the text_entities: true option, which produces text-oriented entity handling unsuitable for direct HTML interpolation. The resulting string was inserted into a <p> element without further escaping, allowing HTML and script payloads to reach the DOM.

Attack Vector

An authenticated attacker authorized to use the AI Bot crafts a conversation containing HTML entities or script payloads. The attacker shares the conversation publicly and references the share URL in a post, triggering the vulnerable local onebox renderer. Any visitor to that post receives the injected content, enabling session hijacking, forced actions on behalf of the victim, or pivoting against administrative users.

ruby

   def html_excerpt
     html = +""
     populated_context.each do |post|
-      text =
-        PrettyText.excerpt(
-          post.cooked,
-          400,
-          text_entities: true,
-          strip_links: true,
-          strip_details: true,
-        )
+      text = PrettyText.excerpt(post.cooked, 400, strip_links: true, strip_details: true)
 
       html << "<p><b>#{post.user.username}</b>: #{text}</p>"
       if html.length > 1000

Source: Discourse AI commit 92f122c

The patch removes the text_entities: true option so that PrettyText.excerpt returns properly HTML-escaped content before interpolation.

Detection Methods for CVE-2024-54142

Indicators of Compromise

Posts containing URLs matching the pattern /discourse-ai/ai-bot/shared-ai-conversations/ where the referenced conversation includes raw HTML tags or encoded script payloads.
Unexpected outbound requests from user browsers to attacker-controlled domains shortly after viewing posts that embed AI Bot conversation oneboxes.
Audit log entries showing creation of shared AI conversations by accounts that subsequently posted onebox links to public topics.

Detection Strategies

Review records in the shared_ai_conversations table for stored content containing <script, onerror=, onload=, or HTML-entity-encoded equivalents.
Inspect cooked post HTML for oneboxes generated from AI Bot conversations and verify that no executable markup is present in the excerpt body.
Correlate Discourse access logs with content security policy (CSP) violation reports to surface script execution originating from onebox content.

Monitoring Recommendations

Enable and centrally collect Discourse application logs, paying attention to actions on the AI Bot sharing endpoints.
Monitor the ai bot public sharing allowed groups site setting for changes and alert on unexpected expansions of allowed groups.
Track outbound web traffic from authenticated user sessions for anomalous beaconing patterns consistent with stolen session cookies.

How to Mitigate CVE-2024-54142

Immediate Actions Required

Update the Discourse AI plugin to a version that includes commit 92f122c or later.
Re-bake existing posts that reference shared AI conversations so that previously cached oneboxes are regenerated with the fixed renderer.
Audit recently created shared AI conversations and remove any that contain suspicious HTML or script content.

Patch Information

The fix is implemented in Discourse AI commit 92f122c and documented in GitHub Security Advisory GHSA-94c2-qr2h-88jv. The patch removes the unsafe text_entities: true option from the PrettyText.excerpt call in html_excerpt and ships a post-migration that nulls baked_version for affected posts, forcing a rebake on next render.

ruby

+# frozen_string_literal: true
+class RebakeSharedAiConversationOneboxes < ActiveRecord::Migration[7.2]
+  def up
+    # Safe marking for rebake using raw SQL
+    DB.exec(<<~SQL)
+      UPDATE posts
+      SET baked_version = NULL
+      WHERE raw LIKE '%/discourse-ai/ai-bot/shared-ai-conversations/%';
+    SQL
+  end
+
+  def down
+    raise ActiveRecord::IrreversibleMigration
+  end
+end

Source: Discourse AI commit 92f122c

Workarounds

Remove all groups from the ai bot public sharing allowed groups site setting to disable public sharing of AI Bot conversations until the patch can be applied.
Restrict AI Bot access to trusted internal groups only, reducing the population of users who can author shareable conversations.
Enforce a strict Content Security Policy that disallows inline scripts to limit the impact of any residual injection.

bash

# Discourse admin console: clear allowed sharing groups
# Navigate to: /admin/site_settings/category/discourse_ai
# Setting: ai bot public sharing allowed groups
# Value: (empty - remove all groups)

# Force rebake of affected posts via rails console
bundle exec rails runner "Post.where('raw LIKE ?', '%/discourse-ai/ai-bot/shared-ai-conversations/%').update_all(baked_version: nil)"

CVE-2024-54142 Overview

Critical Impact
Authenticated attackers with sharing permissions can inject HTML and script content into onebox previews, executing arbitrary JavaScript in the browser of any user who views the affected post.

Affected Products

Discourse AI plugin (versions prior to commit 92f122c)
Discourse instances with the AI Bot enabled
Discourse sites that permit public sharing of AI Bot conversations

Discovery Timeline

2025-01-14 - CVE-2024-54142 published to the National Vulnerability Database (NVD)
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-54142

Vulnerability Analysis

Root Cause

Attack Vector

ruby

   def html_excerpt
     html = +""
     populated_context.each do |post|
-      text =
-        PrettyText.excerpt(
-          post.cooked,
-          400,
-          text_entities: true,
-          strip_links: true,
-          strip_details: true,
-        )
+      text = PrettyText.excerpt(post.cooked, 400, strip_links: true, strip_details: true)
 
       html << "<p><b>#{post.user.username}</b>: #{text}</p>"
       if html.length > 1000

Source: Discourse AI commit 92f122c

The patch removes the text_entities: true option so that PrettyText.excerpt returns properly HTML-escaped content before interpolation.

Detection Methods for CVE-2024-54142

Indicators of Compromise

Posts containing URLs matching the pattern /discourse-ai/ai-bot/shared-ai-conversations/ where the referenced conversation includes raw HTML tags or encoded script payloads.
Unexpected outbound requests from user browsers to attacker-controlled domains shortly after viewing posts that embed AI Bot conversation oneboxes.
Audit log entries showing creation of shared AI conversations by accounts that subsequently posted onebox links to public topics.

Detection Strategies

Review records in the shared_ai_conversations table for stored content containing <script, onerror=, onload=, or HTML-entity-encoded equivalents.
Inspect cooked post HTML for oneboxes generated from AI Bot conversations and verify that no executable markup is present in the excerpt body.
Correlate Discourse access logs with content security policy (CSP) violation reports to surface script execution originating from onebox content.

Monitoring Recommendations

Enable and centrally collect Discourse application logs, paying attention to actions on the AI Bot sharing endpoints.
Monitor the ai bot public sharing allowed groups site setting for changes and alert on unexpected expansions of allowed groups.
Track outbound web traffic from authenticated user sessions for anomalous beaconing patterns consistent with stolen session cookies.

How to Mitigate CVE-2024-54142

Immediate Actions Required

Update the Discourse AI plugin to a version that includes commit 92f122c or later.
Re-bake existing posts that reference shared AI conversations so that previously cached oneboxes are regenerated with the fixed renderer.
Audit recently created shared AI conversations and remove any that contain suspicious HTML or script content.

Patch Information

ruby

+# frozen_string_literal: true
+class RebakeSharedAiConversationOneboxes < ActiveRecord::Migration[7.2]
+  def up
+    # Safe marking for rebake using raw SQL
+    DB.exec(<<~SQL)
+      UPDATE posts
+      SET baked_version = NULL
+      WHERE raw LIKE '%/discourse-ai/ai-bot/shared-ai-conversations/%';
+    SQL
+  end
+
+  def down
+    raise ActiveRecord::IrreversibleMigration
+  end
+end

Source: Discourse AI commit 92f122c

Workarounds

Remove all groups from the ai bot public sharing allowed groups site setting to disable public sharing of AI Bot conversations until the patch can be applied.
Restrict AI Bot access to trusted internal groups only, reducing the population of users who can author shareable conversations.
Enforce a strict Content Security Policy that disallows inline scripts to limit the impact of any residual injection.

bash

# Discourse admin console: clear allowed sharing groups
# Navigate to: /admin/site_settings/category/discourse_ai
# Setting: ai bot public sharing allowed groups
# Value: (empty - remove all groups)

# Force rebake of affected posts via rails console
bundle exec rails runner "Post.where('raw LIKE ?', '%/discourse-ai/ai-bot/shared-ai-conversations/%').update_all(baked_version: nil)"

CVE-2024-54142: Discourse AI Plugin XSS Vulnerability

CVE-2024-54142 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-54142

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-54142

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-54142

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2024-54142: Discourse AI Plugin XSS Vulnerability

CVE-2024-54142 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-54142

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-54142

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-54142

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform