FKIE_CVE-2025-53532

Vulnerability from fkie_nvd - Published: 2025-07-07 17:15 - Updated: 2025-07-08 16:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
giscus is a commenting system powered by GitHub Discussions. A bug in giscus' discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits.
References
security-advisories@github.comhttps://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389
security-advisories@github.comhttps://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a
security-advisories@github.comhttps://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "giscus is a commenting system powered by GitHub Discussions. A bug in giscus\u0027 discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits."
    },
    {
      "lang": "es",
      "value": "giscus es un sistema de comentarios impulsado por Discusiones de GitHub. Un error en la API de creaci\u00f3n de discusiones de giscus permiti\u00f3 que un usuario no autorizado creara discusiones en cualquier repositorio donde estuviera instalado. Esto afecta a la parte del servidor de giscus, que se proporciona a trav\u00e9s de http://giscus.app o de un servicio alojado por el usuario. Esta vulnerabilidad se corrige con las confirmaciones c43af7806e65adfcf4d0feeebef76dc36c95cb9a y 4b9745fe1a326ce08d69f8a388331bc993d19389."
    }
  ],
  "id": "CVE-2025-53532",
  "lastModified": "2025-07-08T16:18:34.923",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-07T17:15:30.533",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.