CVE-2025-46824

Vulnerability

The Discourse Code Review Plugin, used to review GitHub commits on Discourse, had a feature that automatically linked commit hashes in posts to corresponding topics. Prior to commit eed3a80, the auto_link_commits function replaced commit hashes with anchor tags using user-controlled content without proper sanitization, allowing an attacker to inject arbitrary HTML and JavaScript [1][2].

Exploitation

An attacker could post a link to a malicious GitHub commit containing crafted content. When other users viewed the post, the plugin would process the commit and replace the hash with an anchor tag containing the attacker-controlled URL, leading to execution of the attacker's script in the context of the Discourse application [2]. No authentication or special privileges were required beyond the ability to post on a Discourse instance with the plugin enabled.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of users who view the affected posts. This could lead to session hijacking, data theft, or other client-side attacks within the Discourse application [2]. The vulnerability was rated as Low severity due to the requirement that an attacker must be able to post content and the need for user interaction (clicking the link).

Mitigation

The vulnerability is patched in commit eed3a80 of the discourse-code-review plugin, which removes the auto-linking feature entirely [1]. Users are advised to update the plugin to the latest version. If updating is not immediately possible, a workaround is to disable the plugin entirely [2].