Discourse <3.4.4 allowed_iframes Codepen auto-exec arbitrary JS
CVE-2025-48877 Published on June 9, 2025
Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.
Weakness Type
Insecure Automated Optimizations
The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.
Products Associated with CVE-2025-48877
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version < 3.4.4 is affected.
- Version < 3.5.0.beta5 is affected.
- Version < 3.5.0.beta6-dev is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.