Discourse Unclear WebAuthn Challenge before 3.4.7/3.5.0.beta.8
CVE-2025-53102 Published on July 29, 2025
Discourse's WebAuthn challenge isn't cleared from user session after authentication
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the users session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
Weakness Type
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Products Associated with CVE-2025-53102
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version >= 3.5.0.beta1, < 3.5.0.beta.8 is affected.
- Version < 3.4.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.