3.5.5
2025.11.1
2025.12.1
2026.1.1
CVE-2025-68662 is a Server-Side Request Forgery (SSRF) vulnerability discovered in Discourse, an open-source discussion platform. This flaw stems from a hostname validation issue within the FinalDestination component, enabling attackers to bypass SSRF protections under specific conditions. The vulnerability impacts Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. A patch is available in the mentioned versions.
Successful exploitation of CVE-2025-68662 allows an attacker to initiate server-side requests to internal or external resources that the Discourse server can access. This can lead to unauthorized access to sensitive data, potentially including internal service credentials, database information, or other confidential resources. An attacker could leverage this SSRF vulnerability to scan internal networks, interact with internal APIs, or even trigger actions on other systems within the Discourse environment. The blast radius extends to any internal resources accessible by the Discourse server, potentially compromising the entire infrastructure.
As of the publication date (2026-01-28), this CVE is not listed on the CISA KEV catalog. Public proof-of-concept (POC) code is currently unavailable, but the SSRF nature of the vulnerability suggests a potential for easy exploitation once a POC is released. The vulnerability's impact depends on the internal resources accessible by the Discourse server.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68662 is to upgrade Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. Unfortunately, no workarounds are currently available. Before upgrading, it's crucial to review the Discourse upgrade documentation and perform a backup of your Discourse database and files. After the upgrade, verify the fix by attempting to trigger an SSRF request through the FinalDestination component; the request should be blocked.
Update Discourse to version 3.5.4 or higher. This will fix the hostname validation vulnerability in FinalDestination, preventing potential SSRF protection bypasses. The update can be performed through the Discourse admin panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68662 is a Server-Side Request Forgery vulnerability in Discourse affecting versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. It allows attackers to bypass SSRF protections.
You are affected if you are running Discourse versions ≤ 2026.1.0-latest and < 2026.1.0. Check your version and upgrade immediately if vulnerable.
Upgrade Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. No workarounds are currently available.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation once a proof-of-concept is released.
Refer to the official Discourse security advisory for detailed information and updates: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link when available)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.