Unrated severityNVD Advisory· Published Jul 29, 2025· Updated Jul 29, 2025
Discourse's WebAuthn challenge isn't cleared from user session after authentication
CVE-2025-53102
Description
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the stable branch and version 3.5.0.beta.8 on the tests-passed branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3stable <3.4.7, tests-passed <3.5.0.beta.8+ 1 more
- (no CPE)range: stable <3.4.7, tests-passed <3.5.0.beta.8
- (no CPE)range: >= 3.5.0.beta1, < 3.5.0.beta.8
Patches
Vulnerability mechanics
References
3- github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802mitrex_refsource_MISC
- github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05bebmitrex_refsource_MISC
- github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcvmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.