JavaScript Injection Vulnerability in Discourse by Discourse
CVE-2025-22602

6.5MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 4 February 2025

What is CVE-2025-22602?

Discourse is a widely used open source platform designed for community discussions. In certain versions, a vulnerability exists that allows attackers to inject arbitrary JavaScript into users' browsers through a specially crafted video placeholder HTML element. This security issue arises specifically on sites that have Content Security Policy (CSP) disabled, exposing users to potential malicious scripts. To mitigate this risk, users are strongly encouraged to upgrade to the latest version of Discourse, where this vulnerability has been patched. For those unable to perform an upgrade, enabling CSP may provide an additional layer of protection against this type of attack.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

discourse stable: <= 3.3.3 <= stable: 3.3.3

discourse beta: <= 3.4.0.beta3 <= beta: 3.4.0.beta3

discourse tests-passed: <= 3.4.0.beta3 <= tests-passed: 3.4.0.beta3

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Jan 7, 2025

JSON

Discourse

What is CVE-2025-22602?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.