CVE-2025-53102

EUVD-2025-23042

29.07.2025, 20:15

Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
discourse	discourse	𝑥 < 3.4.6
discourse	discourse	𝑥 ≤ 3.5.0
discourse	discourse	3.5.0:beta1
discourse	discourse	3.5.0:beta2
discourse	discourse	3.5.0:beta3
discourse	discourse	3.5.0:beta4
discourse	discourse	3.5.0:beta5
discourse	discourse	3.5.0:beta6
discourse	discourse	3.5.0:beta7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-384 - Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References

https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802

https://github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05beb

https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv