CVE-2025-22602: Stored DOM-based XSS (without CSP) via video placeholders in Discourse
First published: Tue Feb 04 2025(Updated: )
Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should enable CSP.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse Discourse |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-22602?
CVE-2025-22602 is considered a high severity vulnerability due to its potential for executing arbitrary JavaScript in users' browsers.
How do I fix CVE-2025-22602?
To fix CVE-2025-22602, ensure that Content Security Policy (CSP) is enabled on your Discourse installation.
What versions of Discourse are affected by CVE-2025-22602?
CVE-2025-22602 affects all versions of Discourse that have CSP disabled.
What is the impact of CVE-2025-22602 on my Discourse site?
The impact of CVE-2025-22602 includes the possibility for attackers to run malicious scripts in the browsers of users visiting the affected Discourse site.
Is there a patch available for CVE-2025-22602?
Yes, a patch for CVE-2025-22602 has been released and is available for users to apply.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/first-publish-date
- agent/description
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/severity
- agent/last-modified-date
- agent/author
- agent/source
- agent/tags
- agent/event
- vendor/discourse
- canonical/discourse discourse