CVE Details
Basic Information
| Title | Discourse’s WebAuthn challenge isn’t cleared from user session after authentication |
|---|---|
| Type | cve |
| Published | 2025-07-29T19:24:06.076Z |
| Modified | 2025-07-29T19:33:43.304Z |
Product Information
| Vendor | discourse |
|---|---|
| Product | discourse |
| Version | >= 3.5.0.beta1, < 3.5.0.beta.8 |
CVSS Information
| Base Score | 8.2 (HIGH) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
AI Analysis
| AI Description | A vulnerability in Discourse allows the WebAuthn challenge to remain in the user’s session after authentication, potentially enabling reuse and increasing security risks. This issue is fixed in versions 3.4.7 and 3.5.0.beta.8. |
|---|---|
| AI Severity | High |
| AI Vendor | Discourse Foundation |
| AI Product | Discourse |
| AI Version | 3.5.0.beta1, 3.5.0.beta8, 3.4.7 |
Affected Products
- discourse discourse >= 3.5.0.beta1, < 3.5.0.beta.8
- discourse discourse < 3.4.7
Additional Information
| CWE List | CWE-384 |
|---|---|
| Source | GitHub_M |
Description
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the userβs session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.