What is the CVSS score of CVE-2025-48053?

CVE-2025-48053 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.2%.

Which versions of Discourse are affected by CVE-2025-48053?

Discourse versions prior to 3.4.4 contain a denial-of-service vulnerability allowing unauthenticated attackers to degrade platform availability by injecting malicious URLs into bot user…. A patch is available.

How to fix or mitigate CVE-2025-48053?

Within 24 hours: Identify all Discourse instances and confirm current versions. Within 7 days: Apply vendor-released patch to Discourse 3.4.4 (stable branch), 3.5.0.beta5 (beta branch), or later across all production and non-production instances. Within 30 days: Verify patch deployment completion and validate bot user message handling through testing.

Discourse CVE-2025-48053

EUVD-2025-17463 HIGH

Uncontrolled Resource Consumption (CWE-400)

2025-06-09 security-advisories@github.com

Information Disclosure Discourse

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:43 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.4.4,3.5.0.beta6-dev,3.5.0.beta5

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17463

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

CVE Published

Jun 09, 2025 - 13:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance. This issue is patched in version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch. No known workarounds are available.

AnalysisAI

Denial-of-service vulnerability in Discourse that allows unauthenticated remote attackers to reduce the availability of a Discourse instance by sending malicious URLs in private messages to bot users. The vulnerability affects Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed), with a CVSS 7.5 rating indicating high severity. No known public exploits or workarounds are currently available, but patches have been released.

Technical ContextAI

This vulnerability stems from improper handling of user-supplied input (CWE-400: Uncontrolled Resource Consumption) when processing URLs in private messages directed at bot users. Discourse's bot user handling mechanism lacks sufficient rate-limiting or input validation when parsing potentially malicious URLs, allowing an attacker to trigger resource-intensive operations (such as URL fetching, parsing, or link preview generation) without authentication. The vulnerability specifically targets the PM (private message) functionality when bots are recipients, suggesting the bot's automatic message processing or link-preview generation features are the attack vector. The issue affects the core Discourse message handling and bot interaction subsystems across multiple release branches (stable, beta, and development branches).

RemediationAI

action: Upgrade immediately; details: Update Discourse installations to version 3.4.4 or later on the stable branch, version 3.5.0.beta5 or later on the beta branch, or version 3.5.0.beta6-dev or later on the tests-passed branch.
action: Workarounds; details: No known workarounds are available. Patching is the only remediation path. Organizations unable to patch immediately should consider restricting bot PM access or implementing external rate-limiting/WAF rules to detect unusual PM activity patterns.
action: Monitoring; details: Monitor instance logs for unusual bot PM activity, particularly with non-standard or suspicious URLs. Monitor system resource consumption (CPU, memory) during PM operations to detect potential DoS attempts.
action: Deployment prioritization; details: Prioritize patching for production Discourse instances with enabled bot functionality and public accessibility. Lower-priority instances (internal/private deployments with limited bot usage) may follow standard change management procedures.

More from same product – last 7 days

CVE-2026-44786 HIGH This Week

7.5 Jun 12

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa

CVE-2026-45775 MEDIUM This Month

6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi

CVE-2026-44784 MEDIUM This Month

6.5 Jun 12

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m

CVE-2026-44783 MEDIUM This Month

5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte

CVE-2026-45085 MEDIUM This Month

5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both

CVE-2025-48053 vulnerability details – vuln.today

Back

Discourse CVE-2025-48053

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code