CVE-2025-58054 Overview
CVE-2025-58054 is a stored cross-site scripting (XSS) vulnerability in Discourse, an open-source community discussion platform. The flaw exists in the rich text editor's handling of chat channel titles and chat thread titles when rendered through the quote message functionality. Versions 3.5.0 and below improperly parse and render these titles, allowing attackers to inject script content that executes in the context of other users' browsers. The issue is tracked under [CWE-80] (Improper Neutralization of Script-Related HTML Tags in a Web Page). Discourse addressed the flaw in version 3.5.1.
Critical Impact
Authenticated attackers can inject malicious JavaScript into chat channel or thread titles that executes when other users quote messages via the rich text editor, enabling session hijacking, credential theft, and account takeover.
Affected Products
- Discourse stable versions 3.5.0 and below
- Discourse beta versions up to 3.6.0 beta1
- Discourse deployments using the rich text editor with chat plugin enabled
Discovery Timeline
- 2025-10-01 - CVE-2025-58054 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-58054
Vulnerability Analysis
The vulnerability resides in the Discourse chat plugin's rich editor extension, specifically in plugins/chat/assets/javascripts/lib/rich-editor-extension.js. When a user quotes a chat message, the rich text editor renders the source chat channel title and thread title as part of the quoted transcript. The pre-patch code path passed these titles through emojiUnescape from discourse/lib/text without adequate HTML sanitization. An attacker with permission to create or rename a chat channel or thread can embed script-carrying markup in the title. When any user quotes a message from that channel or thread, the malicious payload is parsed and executed in the victim's browser session.
Root Cause
The root cause is improper neutralization of script-related HTML tags during transcript rendering. Titles were treated as trusted display content rather than untrusted user input, bypassing the sanitization pipeline used elsewhere in the platform. The rich editor extension inserted title strings into the ProseMirror document tree without escaping HTML entities or applying the standard Discourse sanitizer.
Attack Vector
Exploitation requires network access to a Discourse instance and user interaction from a victim who quotes a poisoned message. The attacker needs authenticated access sufficient to create or rename a chat channel or thread. Once the malicious title is stored, any user invoking the quote functionality against a message in that channel or thread triggers the payload.
// Security patch excerpt - rich-editor-extension.js
+import replaceEmoji from "discourse/helpers/replace-emoji";
import getURL from "discourse/lib/get-url";
-import { emojiUnescape } from "discourse/lib/text";
import { i18n } from "discourse-i18n";
/** @type {RichEditorExtension} */
Source: Discourse commit 3a224fd
The patch replaces the unsafe emojiUnescape text helper with replaceEmoji, a helper that returns sanitized DOM nodes rather than raw HTML strings, preventing script injection through title rendering.
Detection Methods for CVE-2025-58054
Indicators of Compromise
- Chat channel or thread titles containing HTML tags such as <script>, <img onerror=>, or <svg onload=>
- Unexpected outbound requests from user browsers to attacker-controlled domains after quoting chat messages
- Session token or cookie exfiltration events correlated with chat quote actions
- Anomalous title change events in Discourse admin audit logs referencing chat channels or threads
Detection Strategies
- Query the Discourse database chat_channels and chat_threads tables for title values containing HTML angle brackets or JavaScript event handler attributes
- Deploy content security policy (CSP) violation reporting to surface inline script execution attempts on chat pages
- Monitor web application firewall (WAF) logs for HTTP requests that submit chat channel or thread titles containing script tokens
Monitoring Recommendations
- Enable Discourse staff action logging and alert on change_chat_channel_name and thread title modification events
- Track quote message events in application logs for correlation with subsequent client-side errors
- Review CSP report-uri endpoints for script-src violations originating from /chat routes
How to Mitigate CVE-2025-58054
Immediate Actions Required
- Upgrade all Discourse instances to version 3.5.1 or later, which contains the fix in commit 3a224fd
- Audit existing chat channel and thread titles for embedded HTML or script content and sanitize or remove offending entries
- Restrict chat channel and thread creation and rename permissions to trusted user groups until the upgrade is applied
Patch Information
Discourse released the fix in version 3.5.1. The relevant code change is available in Discourse commit 3a224fd546d894ee408e7414b6879e814a792f91 and documented in GitHub Security Advisory GHSA-7p47-8m82-m2vf. The patch replaces the unsafe emoji unescape helper with a sanitized DOM-producing equivalent in the chat rich editor extension.
Workarounds
- Temporarily disable the chat plugin from Discourse admin settings until the upgrade is deployed
- Disable the rich text editor for chat message composition and require the plain markdown composer instead
- Enforce a strict Content Security Policy that blocks inline scripts on chat routes to reduce exploitation impact
# Upgrade Discourse to the patched release
cd /var/discourse
git pull
./launcher rebuild app
# Verify version after rebuild
./launcher enter app
rails r 'puts Discourse::VERSION::STRING'
# Expected output: 3.5.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

