### [CVE-2025-48053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48053)
![](https://img.shields.io/static/v1?label=Product&message=discourse&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%203.4.4%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3C%203.5.0.beta5%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3C%203.5.0.beta6-dev%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-400%3A%20Uncontrolled%20Resource%20Consumption&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-770%3A%20Allocation%20of%20Resources%20Without%20Limits%20or%20Throttling&color=brightgreen)

### Description

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. No known workarounds are available.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds