Platform
discourse
Component
discourse
Fixed in
3.4.1
3.4.1
CVE-2025-22601 is a Path Traversal vulnerability affecting Discourse versions up to 3.4.0.beta3. An attacker can leverage a specially crafted link within the activate-account route to trick a user into making unauthorized changes to their username. This vulnerability has been addressed in version 3.4.1, and users are strongly encouraged to upgrade their installations.
This vulnerability allows an attacker to potentially modify a user's username without their explicit consent. While the immediate impact might seem limited, successful exploitation could be a stepping stone for further attacks. An attacker could use this to impersonate a user, gain access to sensitive information, or disrupt community operations. The ability to manipulate usernames could also be used to bypass access controls or inject malicious content into the Discourse platform, depending on how usernames are utilized within the application’s logic.
This vulnerability was publicly disclosed on 2025-02-04. There are currently no known public proof-of-concept exploits available. The vulnerability has been assessed as LOW severity according to CVSS 3.1. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.33% (56% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-22601 is to upgrade Discourse to version 3.4.1 or later. As there are no known workarounds for this vulnerability, upgrading is the only viable solution. Ensure a proper backup of your Discourse database and files before initiating the upgrade process. After the upgrade, verify the integrity of your Discourse installation by attempting to activate a test account and confirming that usernames are handled securely.
Upgrade Discourse to the latest available version. The vulnerability has been corrected in the latest version. No known workarounds exist.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-22601 is a Path Traversal vulnerability in Discourse versions up to 3.4.0.beta3, allowing attackers to manipulate usernames via crafted links.
You are affected if you are running Discourse version 3.4.0.beta3 or earlier. Upgrade to 3.4.1 to mitigate the risk.
Upgrade your Discourse installation to version 3.4.1 or later. There are no known workarounds for this vulnerability.
There are currently no confirmed reports of active exploitation, but it is crucial to apply the patch proactively.
Refer to the official Discourse security advisory for detailed information and updates: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.