CVE-2025-48877: 
Discourse vulnerability analysis and mitigation

Discourse, an open-source discussion platform, was found to contain a security vulnerability (CVE-2025-48877) where CodePen was present in the default allowed_iframes site setting. This configuration could potentially allow auto-running arbitrary JavaScript code in the iframe scope, which was unintended behavior. The vulnerability affects versions prior to 3.4.4 of the stable branch, 3.5.0.beta5 of the beta branch, and 3.5.0.beta6-dev of the tests-passed branch (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v4.0 base score of 8.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U. The issue stems from the default configuration that includes CodePen in the allowed iframes list, potentially enabling unauthorized JavaScript execution within the iframe context (NVD, Wiz).

When exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code within the iframe scope, potentially compromising the security of the Discourse platform and its users (GitHub Advisory).

The vulnerability has been patched in version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch. As a temporary workaround, administrators can remove the CodePen prefix from their site's allowed_iframes setting (GitHub Advisory).