Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22602

CVE-2025-22602: Discourse XSS Vulnerability via Video HTML

CVE-2025-22602 is a cross-site scripting flaw in Discourse that allows attackers to execute arbitrary JavaScript via malicious video placeholder elements. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-22602 Overview

CVE-2025-22602 is a stored Cross-Site Scripting (XSS) vulnerability in Discourse, an open source platform for community discussion. An attacker can execute arbitrary JavaScript in visitors' browsers by posting a malicious video placeholder HTML element. The flaw only affects Discourse sites that have Content Security Policy (CSP) disabled. Successful exploitation lets an attacker run script in the context of the victim's session, enabling actions such as account takeover, forum defacement, or credential theft.

The issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation. Discourse patched the flaw in the latest stable and beta releases.

Critical Impact

Attackers can execute arbitrary JavaScript in the browsers of any user viewing a malicious post on Discourse instances running with CSP disabled.

Affected Products

  • Discourse stable versions prior to the patched release
  • Discourse beta versions prior to the patched release
  • Discourse 3.4.0 beta1, beta2, and beta3

Discovery Timeline

  • 2025-02-04 - CVE-2025-22602 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-22602

Vulnerability Analysis

The vulnerability is a stored XSS flaw in Discourse's rendering of video placeholder HTML elements within user-generated posts. When a user submits a post containing a crafted video placeholder element, Discourse fails to sanitize attributes that permit JavaScript execution. Any user who views the post then executes the injected script in their browser session.

Because the payload persists in the post body, exploitation does not require the attacker to interact repeatedly with each victim. A single malicious post reaches every visitor who loads the affected topic. The attack requires the target site to have Content Security Policy disabled, which removes the browser-level guardrail that would otherwise block inline script execution.

Root Cause

The root cause is improper output encoding of the video placeholder element inside Discourse's HTML sanitization pipeline [CWE-79]. Attribute values on the placeholder element were not stripped of executable script contexts before rendering, allowing script-bearing content to survive into the DOM.

Attack Vector

Exploitation is network-based and requires user interaction. An attacker registers or uses an existing account on a Discourse forum, creates a post containing the crafted video placeholder element, and waits for other users to load the topic. The scope is changed because script runs in the security context of the victim's authenticated Discourse session, enabling actions such as CSRF against the site's own API, session data extraction, or redirection to attacker-controlled infrastructure.

See the Discourse GitHub Security Advisory GHSA-jcjx-694p-c5m3 for vendor technical details.

Detection Methods for CVE-2025-22602

Indicators of Compromise

  • Posts containing video placeholder HTML elements with unexpected attributes such as onerror, onload, or javascript: URIs
  • Outbound requests from user browsers to unfamiliar domains immediately after loading a Discourse topic
  • Unexpected session token access or account setting changes originating from legitimate user IPs shortly after forum activity

Detection Strategies

  • Review the Discourse post database for HTML tags associated with video embeds that contain event-handler attributes or script URIs
  • Inspect web server access logs for POST requests to /posts or /topics containing suspicious video embed markup
  • Monitor browser Content Security Policy violation reports if CSP is enabled in report-only mode

Monitoring Recommendations

  • Aggregate Discourse application logs, web server logs, and browser CSP reports into a centralized analytics platform for correlation
  • Alert on administrative account activity that follows a user viewing a newly created topic from an untrusted author
  • Track post edits and creations from low-reputation or newly registered accounts, which are common vectors for stored XSS payloads

How to Mitigate CVE-2025-22602

Immediate Actions Required

  • Upgrade Discourse to the latest patched stable or beta release as published in the vendor advisory
  • Enable Content Security Policy on all Discourse instances if it is currently disabled
  • Audit recent posts on affected instances for video placeholder elements containing script-bearing attributes and remove them

Patch Information

Discourse released a fix in the latest version referenced by GHSA-jcjx-694p-c5m3. The patch corrects sanitization of the video placeholder element so that script-executing attributes are stripped before rendering. Administrators should follow the standard Discourse upgrade path for their deployment method, whether Docker-based or hosted.

Workarounds

  • Enable Content Security Policy in the Discourse admin site settings, which blocks inline script execution even if a payload reaches the DOM
  • Restrict posting privileges to trusted user trust levels until the upgrade is applied
  • Temporarily disable HTML-heavy embed features in the composer for untrusted user groups
bash
# Enable CSP in Discourse via admin site settings
# Navigate to: /admin/site_settings/category/security
# Set the following options to true:
#   content_security_policy = true
#   content_security_policy_strict_dynamic = true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.