WebAuthn Challenge Reuse Vulnerability in Discourse Community Platform
CVE-2025-53102

8.2HIGH

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 29 July 2025

🔔 Create Discourse Vulnerability Alert

What is CVE-2025-53102?

Discourse, the open-source community discussion platform, has a vulnerability where the WebAuthn challenge issued during 2FA authentication is not cleared from the user's session after its use. This oversight can lead to the potential reuse of the challenge, presenting a security risk to user accounts. Users are advised to upgrade to version 3.4.7 or 3.5.0.beta.8 to mitigate this risk and enhance their security posture.

Affected Version(s)

discourse >= 3.5.0.beta1, < 3.5.0.beta.8 < 3.5.0.beta1, 3.5.0.beta.8

discourse < 3.4.7 < 3.4.7

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/20bf65099bb...

x_refsource_MISC

https://github.com/discourse/discourse/commit/8bc0cee2c00...

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jul 29, 2025
Vulnerability Reserved
Jun 25, 2025

.

CVE-2025-53102 : WebAuthn Challenge Reuse Vulnerability in Discourse Community Platform