CVE-2025-66488
Last modified
CVE-2025-66488 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. EPSS estimates a 0.17% chance of exploitation in the next 30 days.
Description
Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 3.5.4 |
| Discourse | Discourse | >= 2025.11.0, < 2025.11.2 |
| Discourse | Discourse | 2025.12.0 |
| Discourse | Discourse | 2026.1.0 |
References
- https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rxThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-66488?
How severe is CVE-2025-66488?
How do I fix CVE-2025-66488?
Are you affected by CVE-2025-66488?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST