Unrated severityNVD Advisory· Published Jul 29, 2025· Updated Jul 29, 2025

Discourse's WebAuthn challenge isn't cleared from user session after authentication

CVE-2025-53102

Description

Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the stable branch and version 3.5.0.beta.8 on the tests-passed branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.

Affected products

Discourse (software)/Discoursev5
Range: >= 3.5.0.beta1, < 3.5.0.beta.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802mitrex_refsource_MISC
github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05bebmitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcvmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000