EUVD-2025-17469Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowed_iframes site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch. As a workaround, the Codepen prefix can be removed from a site's allowed_iframes.
AnalysisAI
Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vulnerability where Codepen is included in the default allowed_iframes site setting and can auto-execute arbitrary JavaScript within the iframe scope, enabling unauthenticated remote code execution. With a CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to all default Discourse installations and should be prioritized for immediate patching.
Technical ContextAI
Discourse's allowed_iframes site setting controls which external domains can be embedded as iframes within forum content. Codepen embeds were included in the default allowlist to enable code snippet sharing. The vulnerability arises from CWE-1038 (Improper Restriction of Rendered UI Layers or Frames), where Codepen's iframe implementation can auto-execute JavaScript payloads passed via iframe attributes or URL parameters, bypassing expected sandbox restrictions. This occurs because Codepen does not enforce strict content security policies or sandbox attribute restrictions that would prevent script execution. The issue affects all installations using default site settings without explicit configuration changes, impacting deployments across CPE:2.3:a:discourse:discourse:*:*:*:*:*:*:*:* where version < 3.4.4 (stable branch).
RemediationAI
Upgrade to patched versions immediately; versions: ['3.4.4 or later (stable branch)', '3.5.0.beta5 or later (beta branch)', '3.5.0.beta6-dev or later (tests-passed branch)']; instructions: Apply security update through standard Discourse update mechanism or Docker image refresh Workaround: Remove Codepen from allowed_iframes site setting; instructions: Navigate to Admin > Settings > Security > allowed_iframes and remove any Codepen domain entries (codepen.io, *.codepen.io, etc.) until patch is applied; effectiveness: Prevents exploitation but removes Codepen embedding functionality Monitoring: Audit existing forum content for malicious Codepen embeds; instructions: Search post content database for Codepen iframe references created by untrusted users during vulnerable period; review access logs for suspicious activity
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
Share
External POC / Exploit Code
Leaving vuln.today