CVE-2025-53102 HIGH

CVE-2025-53102: Discourse's WebAuthn challenge isn't cleared from user session after authentication

Vendor Discourse
Product discourse
Weakness CWE-384 · Session fixation
Published July 29, 2025
Last update July 29, 2025

CVSS base score

8.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.

Key dates

02Disclosure timeline

July 29, 2025 CVE published
July 29, 2025 Record updated