CVE-2025-68662 | THREATINT

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

PUBLISHED Reserved 2025-12-22 | Published 2026-01-28 | Updated 2026-01-28 | Assigner GitHub_M

HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 3.5.4

affected

>= 2025.11.0-latest, < 2025.11.2

affected

>= 2025.12.0-latest, < 2025.12.1

affected

>= 2026.1.0-latest, < 2026.1.0

affected

References

github.com/...course/security/advisories/GHSA-gcfp-rjfc-925c

cve.org (CVE-2025-68662)

nvd.nist.gov (CVE-2025-68662)

Download JSON