CVE-2025-53102
CRITICALDescription
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| discourse | discourse |
| discourse | discourse |
| discourse | discourse |
| discourse | discourse |
| discourse | discourse |
| discourse | discourse |
| discourse | discourse |
| discourse | discourse |
| discourse | discourse |
References
Frequently Asked Questions
What is CVE-2025-53102? +
How severe is CVE-2025-53102? +
What products are affected by CVE-2025-53102? +
How do I check if I'm vulnerable to CVE-2025-53102? +
Related Vulnerabilities
An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of …
A malicious actor can fix the session of a PAM user by tricking the user to click on a specially …
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized …
This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints …
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could …
Session fixation vulnerability in Wikimedia Foundation OAuth. This vulnerability is associated with program files src/Backend/MWOAuthServer.Php. This issue affects OAuth: from …