Vulnerability DatabaseCVE-2025-53102
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-53102
July 29, 2025
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the "stable" branch and version 3.5.0.beta.8 on the "tests-passed" branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
Affected Packages
https://github.com/discourse/discourse.git (GITHUB):
Affected version(s) >=v1.0.0 <v3.4.7
Fix Suggestion:
Update to version v3.4.7
https://github.com/discourse/discourse.git (GITHUB):
Affected version(s) >=v3.5.0.beta1 <v3.5.0.beta8
Fix Suggestion:
Update to version v3.5.0.beta8
Related Resources (3)
https://github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05beb
https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv
https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Session Fixation
CWE-384
EPSS
Base Score:
0.07