CVE-2025-48053: 
Discourse vulnerability analysis and mitigation

Discourse, an open-source discussion platform, was found to contain a vulnerability (CVE-2025-48053) that affects versions prior to 3.4.4 of the 'stable' branch, 3.5.0.beta5 of the 'beta' branch, and 3.5.0.beta6-dev of the 'tests-passed' branch. The vulnerability was discovered and disclosed on June 9, 2025, where sending a malicious URL in a private message (PM) to a bot user could reduce the availability of a Discourse instance (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The attack vector is network-accessible, requires low attack complexity, no special privileges, and no user interaction (GitHub Advisory, NVD).

When successfully exploited, this vulnerability can lead to reduced availability of the affected Discourse instance. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been patched in version 3.4.4 of the 'stable' branch, version 3.5.0.beta5 of the 'beta' branch, and version 3.5.0.beta6-dev of the 'tests-passed' branch. No known workarounds are available, making it crucial for users to upgrade to the patched versions (GitHub Advisory).