CVE-2025-22602: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, was found to contain a vulnerability (CVE-2025-22602) that allows attackers to execute arbitrary JavaScript on users' browsers through malicious video placeholder HTML elements. The vulnerability was discovered and disclosed on February 4, 2025, affecting Discourse versions stable <= 3.3.3, beta <= 3.4.0.beta3, and tests-passed <= 3.4.0.beta3. This security issue specifically impacts sites that have Content Security Policy (CSP) disabled (GitHub Advisory).

The vulnerability is classified as a Cross-site Scripting (XSS) issue with a CVSS v3.1 base score of 6.5 (Medium severity). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U), with low impacts on confidentiality (C:L) and availability (A:L), but no impact on integrity (I:N) (GitHub Advisory, NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in users' browsers, potentially leading to unauthorized access to user data and browser resources. The impact is particularly significant for Discourse installations that have CSP disabled, as this security feature would otherwise help prevent such attacks (GitHub Advisory).

The vulnerability has been patched in Discourse versions stable >= 3.3.4, beta >= 3.4.0.beta4, and tests-passed >= 3.4.0.beta4. Users are advised to upgrade to these or later versions. For those unable to upgrade immediately, enabling Content Security Policy (CSP) serves as an effective workaround to prevent exploitation (GitHub Advisory).