CVE-2025-54411: 
NixOS vulnerability analysis and mitigation

CVE-2025-54411 affects Discourse, an open-source discussion platform, discovered on August 19, 2025. The vulnerability allows XSS (Cross-Site Scripting) attacks through the welcome banner user name string for logged-in users. This security issue impacts versions up to and including 3.5.0.beta7, with a fix implemented in version 3.5.0.beta8 (GitHub Advisory).

The vulnerability stems from improper neutralization of user input in the welcome banner component. The welcome banner user name string for logged-in users can be manipulated to execute malicious scripts. The issue has been assigned a CVSS v4.0 base score of 2.4 (LOW) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability's impact is limited to the user themselves or an administrator impersonating them. When exploited, it allows for XSS attacks that could potentially execute unauthorized scripts in the context of the affected user's browser session (GitHub Advisory).

A permanent fix is available in Discourse version 3.5.0.beta8. For those unable to update immediately, administrators can implement temporary workarounds by either altering the welcomebanner.header.loggedinmembers site text to remove the preferreddisplay_name placeholder or avoiding user impersonation functionality (GitHub Advisory).