Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-58054

CVE-2025-58054: Discourse XSS Vulnerability via Chat Titles

CVE-2025-58054 is an XSS vulnerability in Discourse that exploits chat channel and thread title parsing through the quote message feature. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-58054 Overview

CVE-2025-58054 is a stored cross-site scripting (XSS) vulnerability in Discourse, an open-source community discussion platform. The flaw exists in the rich text editor's handling of chat channel titles and chat thread titles when rendered through the quote message functionality. Versions 3.5.0 and below improperly parse and render these titles, allowing attackers to inject script content that executes in the context of other users' browsers. The issue is tracked under [CWE-80] (Improper Neutralization of Script-Related HTML Tags in a Web Page). Discourse addressed the flaw in version 3.5.1.

Critical Impact

Authenticated attackers can inject malicious JavaScript into chat channel or thread titles that executes when other users quote messages via the rich text editor, enabling session hijacking, credential theft, and account takeover.

Affected Products

  • Discourse stable versions 3.5.0 and below
  • Discourse beta versions up to 3.6.0 beta1
  • Discourse deployments using the rich text editor with chat plugin enabled

Discovery Timeline

  • 2025-10-01 - CVE-2025-58054 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-58054

Vulnerability Analysis

The vulnerability resides in the Discourse chat plugin's rich editor extension, specifically in plugins/chat/assets/javascripts/lib/rich-editor-extension.js. When a user quotes a chat message, the rich text editor renders the source chat channel title and thread title as part of the quoted transcript. The pre-patch code path passed these titles through emojiUnescape from discourse/lib/text without adequate HTML sanitization. An attacker with permission to create or rename a chat channel or thread can embed script-carrying markup in the title. When any user quotes a message from that channel or thread, the malicious payload is parsed and executed in the victim's browser session.

Root Cause

The root cause is improper neutralization of script-related HTML tags during transcript rendering. Titles were treated as trusted display content rather than untrusted user input, bypassing the sanitization pipeline used elsewhere in the platform. The rich editor extension inserted title strings into the ProseMirror document tree without escaping HTML entities or applying the standard Discourse sanitizer.

Attack Vector

Exploitation requires network access to a Discourse instance and user interaction from a victim who quotes a poisoned message. The attacker needs authenticated access sufficient to create or rename a chat channel or thread. Once the malicious title is stored, any user invoking the quote functionality against a message in that channel or thread triggers the payload.

javascript
// Security patch excerpt - rich-editor-extension.js
+import replaceEmoji from "discourse/helpers/replace-emoji";
 import getURL from "discourse/lib/get-url";
-import { emojiUnescape } from "discourse/lib/text";
 import { i18n } from "discourse-i18n";
 
 /** @type {RichEditorExtension} */

Source: Discourse commit 3a224fd

The patch replaces the unsafe emojiUnescape text helper with replaceEmoji, a helper that returns sanitized DOM nodes rather than raw HTML strings, preventing script injection through title rendering.

Detection Methods for CVE-2025-58054

Indicators of Compromise

  • Chat channel or thread titles containing HTML tags such as <script>, <img onerror=>, or <svg onload=>
  • Unexpected outbound requests from user browsers to attacker-controlled domains after quoting chat messages
  • Session token or cookie exfiltration events correlated with chat quote actions
  • Anomalous title change events in Discourse admin audit logs referencing chat channels or threads

Detection Strategies

  • Query the Discourse database chat_channels and chat_threads tables for title values containing HTML angle brackets or JavaScript event handler attributes
  • Deploy content security policy (CSP) violation reporting to surface inline script execution attempts on chat pages
  • Monitor web application firewall (WAF) logs for HTTP requests that submit chat channel or thread titles containing script tokens

Monitoring Recommendations

  • Enable Discourse staff action logging and alert on change_chat_channel_name and thread title modification events
  • Track quote message events in application logs for correlation with subsequent client-side errors
  • Review CSP report-uri endpoints for script-src violations originating from /chat routes

How to Mitigate CVE-2025-58054

Immediate Actions Required

  • Upgrade all Discourse instances to version 3.5.1 or later, which contains the fix in commit 3a224fd
  • Audit existing chat channel and thread titles for embedded HTML or script content and sanitize or remove offending entries
  • Restrict chat channel and thread creation and rename permissions to trusted user groups until the upgrade is applied

Patch Information

Discourse released the fix in version 3.5.1. The relevant code change is available in Discourse commit 3a224fd546d894ee408e7414b6879e814a792f91 and documented in GitHub Security Advisory GHSA-7p47-8m82-m2vf. The patch replaces the unsafe emoji unescape helper with a sanitized DOM-producing equivalent in the chat rich editor extension.

Workarounds

  • Temporarily disable the chat plugin from Discourse admin settings until the upgrade is deployed
  • Disable the rich text editor for chat message composition and require the plain markdown composer instead
  • Enforce a strict Content Security Policy that blocks inline scripts on chat routes to reduce exploitation impact
bash
# Upgrade Discourse to the patched release
cd /var/discourse
git pull
./launcher rebuild app

# Verify version after rebuild
./launcher enter app
rails r 'puts Discourse::VERSION::STRING'
# Expected output: 3.5.1 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.