CVE-2025-48877 – Discourse Codepen Unintended JS Execution Vulnerability

CVE ID : CVE-2025-48877

Published : June 9, 2025, 1:15 p.m. | 1 hour, 44 minutes ago

Description : Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site’s `allowed_iframes`.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…