VYPR
Unrated severityNVD Advisory· Published Jun 9, 2025· Updated Jun 9, 2025

Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe

CVE-2025-48877

Description

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowed_iframes site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch. As a workaround, the Codepen prefix can be removed from a site's allowed_iframes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Discourse (software)/Discoursellm-fuzzy2 versions
    < 3.4.4 (stable), < 3.5.0.beta5 (beta), < 3.5.0.beta6-dev (tests-passed)+ 1 more
    • (no CPE)range: < 3.4.4 (stable), < 3.5.0.beta5 (beta), < 3.5.0.beta6-dev (tests-passed)
    • (no CPE)range: < 3.4.4
  • osv-coords
    Range: < 3.4.4

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.