JavaScript Injection Vulnerability in Discourse by Discourse
CVE-2025-22602

6.5MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 4 February 2025

Summary

Discourse is a widely used open source platform designed for community discussions. In certain versions, a vulnerability exists that allows attackers to inject arbitrary JavaScript into users' browsers through a specially crafted video placeholder HTML element. This security issue arises specifically on sites that have Content Security Policy (CSP) disabled, exposing users to potential malicious scripts. To mitigate this risk, users are strongly encouraged to upgrade to the latest version of Discourse, where this vulnerability has been patched. For those unable to perform an upgrade, enabling CSP may provide an additional layer of protection against this type of attack.

Affected Version(s)

discourse stable: <= 3.3.3 <= stable: 3.3.3

discourse beta: <= 3.4.0.beta3 <= beta: 3.4.0.beta3

discourse tests-passed: <= 3.4.0.beta3 <= tests-passed: 3.4.0.beta3

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Jan 7, 2025