CVE-2025-48877

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.4.4 Discourse version 3.5.0.beta5 and earlier of the beta branch Discourse version 3.5.0.beta6-dev and earlier of the tests-passed branch

Description Discourse is an open-source discussion platform. In versions prior to the fixed ones, Codepen is present in the default site setting allowed iframes and can potentially auto-run arbitrary JavaScript code in the iframe scope, which is unintended.

Recommendations For Discourse versions prior to 3.4.4, update to version 3.4.4 or later. For Discourse version 3.5.0.beta5 and earlier of the beta branch, update to a version later than 3.5.0.beta5. For Discourse version 3.5.0.beta6-dev and earlier of the tests-passed branch, update to a version later than 3.5.0.beta6-dev. As a temporary workaround for all affected versions, consider removing the Codepen prefix from the site's allowed iframes setting to minimize the risk of exploitation.