EUVD-2025-17469

| CVE-2025-48877 CRITICAL
2025-06-09 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17469
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 13:15 nvd
CRITICAL 9.8

Tags

RCE Discourse

Description

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.

Analysis

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vulnerability where Codepen is included in the default allowed_iframes site setting and can auto-execute arbitrary JavaScript within the iframe scope, enabling unauthenticated remote code execution. With a CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to all default Discourse installations and should be prioritized for immediate patching.

Technical Context

Discourse's `allowed_iframes` site setting controls which external domains can be embedded as iframes within forum content. Codepen embeds were included in the default allowlist to enable code snippet sharing. The vulnerability arises from CWE-1038 (Improper Restriction of Rendered UI Layers or Frames), where Codepen's iframe implementation can auto-execute JavaScript payloads passed via iframe attributes or URL parameters, bypassing expected sandbox restrictions. This occurs because Codepen does not enforce strict content security policies or sandbox attribute restrictions that would prevent script execution. The issue affects all installations using default site settings without explicit configuration changes, impacting deployments across CPE:2.3:a:discourse:discourse:*:*:*:*:*:*:*:* where version < 3.4.4 (stable branch).

Affected Products

Discourse (['All versions before 3.4.4 (stable branch)', 'All versions before 3.5.0.beta5 (beta branch)', 'All versions before 3.5.0.beta6-dev (tests-passed branch)'])

Remediation

Upgrade to patched versions immediately; versions: ['3.4.4 or later (stable branch)', '3.5.0.beta5 or later (beta branch)', '3.5.0.beta6-dev or later (tests-passed branch)']; instructions: Apply security update through standard Discourse update mechanism or Docker image refresh Workaround: Remove Codepen from allowed_iframes site setting; instructions: Navigate to Admin > Settings > Security > allowed_iframes and remove any Codepen domain entries (codepen.io, *.codepen.io, etc.) until patch is applied; effectiveness: Prevents exploitation but removes Codepen embedding functionality Monitoring: Audit existing forum content for malicious Codepen embeds; instructions: Search post content database for Codepen iframe references created by untrusted users during vulnerable period; review access logs for suspicious activity

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +49
POC: 0

Share

EUVD-2025-17469 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy