CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-22601: Client Side Path Traversal using activate account route in Discourse

3.1 CVSS

Description

Discourse is an open source platform for community discussion. In affected versions an attacker can trick a target user to make changes to their own username via carefully crafted link using the `activate-account` route. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Classification

CVE ID: CVE-2025-22601

CVSS Base Severity: LOW

CVSS Base Score: 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected Products

Vendor: discourse

Product: discourse

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 13.01% (scored less or equal to compared to others)

EPSS Date: 2025-03-05 (when was this score calculated)

References

https://github.com/discourse/discourse/security/advisories/GHSA-gvpp-v7mp-wxxw

Timeline

2025-02-05 01:21:18 UTC
CVE

Client Side Path Traversal using activate account route in Discourse