CVE-2025-53102CRITICAL 9.8EPSS p34.7%

CVE-2025-53102CVE-2025-53102

Description

Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 34.7% · 2026-06-19T12:03:05Z
Published2025-07-29
Last modified2025-08-25

Underlying weaknesses· 1

CWE-384

References

  1. https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802
  2. https://github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05beb
  3. https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv

1

TypeTargetConfidenceTier
WeaknessSession Fixationcwe-3840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-23023
CVE
CVE-2025-48877
CVE
CVE-2026-33514
CVE
CVE-2025-68662
CVE
CVE-2026-32244
CVE
CVE-2026-31805
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.