Plattform
discourse
Komponente
discourse
Behoben in
3.4.1
3.4.1
CVE-2025-22601 describes a Path Traversal vulnerability affecting Discourse versions up to 3.4.0.beta3. This allows an attacker to potentially manipulate a user's username through a specially crafted link, leading to unauthorized changes. The vulnerability has been addressed in version 3.4.1, and users are strongly advised to upgrade their installations.
The primary impact of this vulnerability lies in the potential for unauthorized modification of user accounts. By crafting a malicious link, an attacker can trick a target user into unknowingly altering their username. While the direct impact of a username change might seem limited, it can be a stepping stone for further attacks, such as account takeover or privilege escalation, depending on the Discourse configuration and associated integrations. The attacker does not gain direct access to the system but leverages social engineering to manipulate a user's actions.
CVE-2025-22601 was publicly disclosed on 2025-02-04. There are currently no publicly available proof-of-concept exploits. The vulnerability’s CVSS score is LOW, suggesting a relatively low probability of exploitation in the wild, but the social engineering aspect should not be underestimated. It is not listed on the CISA KEV catalog at the time of writing.
Discourse installations running versions 3.4.0.beta3 and earlier are at risk. This includes users of self-hosted Discourse instances, as well as those relying on managed hosting providers who have not yet applied the necessary updates. Community forums and online discussion platforms utilizing vulnerable Discourse versions are particularly susceptible.
• ruby / server:
grep -r 'activate-account' /var/www/discourse/*• generic web:
curl -I 'https://your-discourse-instance.com/activate-account?username=../../../../etc/passwd' # Check for unusual responsesdisclosure
Exploit-Status
EPSS
0.33% (56% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-22601 is to immediately upgrade Discourse to version 3.4.1 or later. This version contains the necessary fix to prevent the path traversal vulnerability. Unfortunately, there are no known workarounds for this vulnerability beyond upgrading. Ensure that all instances of Discourse are updated promptly to minimize the risk of exploitation. After upgrading, confirm the fix by attempting to activate an account using a crafted URL and verifying that the username modification is prevented.
Aktualisieren Sie Discourse auf die neueste verfügbare Version. Die Vulnerability wurde in der neuesten Version behoben. Es gibt keine bekannten Workarounds.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-22601 is a Path Traversal vulnerability in Discourse versions up to 3.4.0.beta3, allowing attackers to manipulate usernames via crafted links.
You are affected if you are running Discourse version 3.4.0.beta3 or earlier. Upgrade to 3.4.1 to mitigate the risk.
Upgrade your Discourse installation to version 3.4.1 or later. There are no known workarounds for this vulnerability.
There are currently no confirmed reports of active exploitation, but it is crucial to apply the patch proactively.
Refer to the official Discourse security advisory for detailed information and updates: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.