QwikSec

Security Database

CVE

CWE

Training

CVE-2025-53102

Published: Jul 29, 2025

Modified: Jul 29, 2025

PUBLISHED

Description

Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.

Vendor	Product	Versions
discourse	discourse	affected `>= 3.5.0.beta1, < 3.5.0.beta.8` affected `< 3.4.7`

Weaknesses (CWE)

References

https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802

x_refsource_MISC

https://github.com/discourse/discourse/commit/8bc0cee2c00a514ea60f33ea6172da2ce5a05beb

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.