How to fix EUVD-2025-28274?

Within 24 hours: Verify if your Discourse instance uses social logins and confirm CSP enablement status in security settings. Within 7 days: If CSP is disabled, enable it immediately or disable social login functionality as a temporary measure; document the change. Within 30 days: Monitor for vendor patch release (targeting version 3.5.0.beta6 or later) and plan upgrade within 48 hours of availability.

Is Discourse affected by EUVD-2025-28274?

Discourse instances using social login functionality without Content Security Policy enabled are vulnerable to cross-site scripting (XSS) attacks that could allow attackers to steal user credentials, hijack sessions, or deface content.

EUVD-2025-28274

| CVE-2025-48954 HIGH

2025-06-25 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-28274

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

CVE Published

Jun 25, 2025 - 14:15 nvd

HIGH 8.1

Description

Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled.

Analysis

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login functionality that is only exploitable when Content Security Policy (CSP) is disabled. An unauthenticated attacker can craft a malicious link leveraging social authentication endpoints to inject arbitrary JavaScript, potentially stealing session tokens, credentials, or performing actions on behalf of the victim. The vulnerability requires user interaction (clicking a malicious link) but has high impact on confidentiality and integrity with no availability impact.

Technical Context

This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability specific to Discourse's social login authentication handlers. The root cause appears to be insufficient input sanitization or output encoding in the social login callback/processing endpoints when CSP is not active to provide a secondary XSS defense. Discourse (CPE identifier: cpe:2.3:a:discourse:discourse) is a Ruby on Rails-based discussion platform; the vulnerability likely exists in the OmniAuth integration layer or social provider callback handlers that process untrusted user input from OAuth providers or redirect parameters without proper encoding. The vulnerability is context-dependent on CSP being disabled, indicating that Discourse intentionally relies on CSP as a primary XSS mitigation in production deployments. Affected versions: Discourse < 3.5.0.beta6.

Affected Products

Discourse (< 3.5.0.beta6)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +14.0

CVSS: +40

POC: 0

EUVD-2025-28274 vulnerability details – vuln.today

Back

EUVD-2025-28274

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-28274

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code