CVE-2025-48954 Overview
CVE-2025-48954 is a cross-site scripting (XSS) vulnerability affecting Discourse, an open-source discussion platform. The flaw exists in versions prior to 3.5.0.beta6 and can be exploited when the Content Security Policy (CSP) is disabled while social logins are in use. An attacker can inject and execute arbitrary script content in the context of an authenticated user session. The issue is tracked under CWE-79 and was patched in version 3.5.0.beta6.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser session, enabling session token theft, account takeover, and unauthorized actions against Discourse forums where CSP is not enforced.
Affected Products
- Discourse versions prior to 3.5.0.beta6
- Discourse 3.5.0.beta1 through 3.5.0.beta5
- Discourse deployments using social logins without CSP enabled
Discovery Timeline
- 2025-06-25 - CVE-2025-48954 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-48954
Vulnerability Analysis
The vulnerability is a reflected or DOM-based cross-site scripting condition in the social login flow. Discourse relies on a Content Security Policy as a compensating control to restrict script execution in the browser. When administrators disable CSP, the social login code path does not sufficiently sanitize or encode data before rendering it to the browser. Attackers can craft a malicious link that, when clicked by a target user, executes JavaScript within the origin of the Discourse instance. This grants access to session storage, cookies not marked HttpOnly, and any privileged actions the victim can perform.
Root Cause
The root cause is missing output encoding in the social authentication handler combined with an implicit reliance on CSP to mitigate script injection. Defense in depth was not applied because sanitization at the sink was omitted. When CSP is disabled, no fallback protection prevents inline script execution.
Attack Vector
Exploitation requires network access to the Discourse instance and user interaction, typically clicking a crafted link. The attacker delivers a URL that triggers the vulnerable social login endpoint with injected script payload. Upon rendering, the browser executes the payload under the Discourse origin. See the Discourse Security Advisory GHSA-26p5-mjjh-wfcf for vendor details.
No verified proof-of-concept code is publicly available at this time. Refer to the vendor advisory for further technical context.
Detection Methods for CVE-2025-48954
Indicators of Compromise
- Unexpected outbound requests from user browsers to attacker-controlled domains originating from Discourse forum pages
- Discourse access logs showing crafted query parameters or fragments on social login callback URLs containing HTML or script tokens such as <script>, onerror=, or javascript:
- Session anomalies including logins from unusual geolocations following clicks on links referencing the Discourse domain
Detection Strategies
- Review Discourse instance configuration to confirm whether CSP is enabled under Admin > Settings > Security
- Inspect web server and reverse proxy logs for unusual payloads targeting social authentication routes such as /auth/*
- Correlate user reports of unexpected redirects or popups with authentication events in the Discourse audit log
Monitoring Recommendations
- Alert on HTTP requests to social login endpoints containing encoded angle brackets, javascript: URIs, or event handler attributes
- Monitor for administrative setting changes that disable content_security_policy in Discourse
- Track anomalous authentication patterns following link-based user interactions on the forum
How to Mitigate CVE-2025-48954
Immediate Actions Required
- Upgrade Discourse to version 3.5.0.beta6 or later, which contains the vendor patch
- Enable the Content Security Policy setting in Discourse if upgrading cannot be performed immediately
- Audit forum administrator accounts and reset credentials if suspicious activity is detected
Patch Information
Discourse released the fix in version 3.5.0.beta6. Administrators should upgrade following the standard Discourse update process. The GitHub Security Advisory GHSA-26p5-mjjh-wfcf documents the patched commit and remediation guidance.
Workarounds
- Enable Content Security Policy in Discourse settings, which the vendor identifies as a valid workaround
- Restrict use of social logins until the patched version is deployed
- Configure a strict CSP header at the reverse proxy layer as an additional compensating control
# Verify Discourse version and CSP configuration
cd /var/discourse
./launcher logs app | grep -i version
# Enable CSP via Discourse admin console (example rails console command)
./launcher enter app
rails c
SiteSetting.content_security_policy = true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

