CVE-2025-68662

CRITICAL9.9EPSS 0.03%

FinalDestination hostname matching allows SSRF protection bypass

發布日:2026/2/2修改日:2026/2/2

也稱為:GHSA-gcfp-rjfc-925cBIT-discourse-2025-68662

描述

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

受影響套件(1)

Bitnami/discoursefrom 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

參考連結(2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-68662