CVE-2025-48877: Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe
Description
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.
Classification
CVE ID: CVE-2025-48877
CVSS Base Severity: HIGH
CVSS Base Score: 8.1
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Problem Types
CWE-1038: Insecure Automated OptimizationsAffected Products
Vendor: discourse
Product: discourse
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.06% (probability of being exploited)
EPSS Percentile: 17.39% (scored less or equal to compared to others)
EPSS Date: 2025-06-23 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-48877https://github.com/discourse/discourse/security/advisories/GHSA-cm93-6m2m-cjcv