Discourse Unclear WebAuthn Challenge before 3.4.7/3.5.0.beta.8
CVE-2025-53102 Published on July 29, 2025
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the users session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
Weakness Type
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Products Associated with CVE-2025-53102
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-53102 are published in Discourse:
Affected Versions
discourse:- Version >= 3.5.0.beta1, < 3.5.0.beta.8 is affected.
- Version < 3.4.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.