CVE-2025-53532

giscus is a commenting system powered by GitHub Discussions. A bug in giscus' discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389
https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a
https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3

Configurations

No configuration.

History

08 Jul 2025, 16:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-07 17:15

Updated : 2025-07-08 16:18

NVD link : CVE-2025-53532

Mitre link : CVE-2025-53532

CVE.ORG link : CVE-2025-53532

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

{"id": "CVE-2025-53532", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-07-07T17:15:30.533", "references": [{"url": "https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389", "source": "security-advisories@github.com"}, {"url": "https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a", "source": "security-advisories@github.com"}, {"url": "https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "giscus is a commenting system powered by GitHub Discussions. A bug in giscus' discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits."}, {"lang": "es", "value": "giscus es un sistema de comentarios impulsado por Discusiones de GitHub. Un error en la API de creaci\u00f3n de discusiones de giscus permiti\u00f3 que un usuario no autorizado creara discusiones en cualquier repositorio donde estuviera instalado. Esto afecta a la parte del servidor de giscus, que se proporciona a trav\u00e9s de http://giscus.app o de un servicio alojado por el usuario. Esta vulnerabilidad se corrige con las confirmaciones c43af7806e65adfcf4d0feeebef76dc36c95cb9a y 4b9745fe1a326ce08d69f8a388331bc993d19389."}], "lastModified": "2025-07-08T16:18:34.923", "sourceIdentifier": "security-advisories@github.com"}