CVE-2025-53532 (GCVE-0-2025-53532)
Vulnerability from cvelistv5
Published
2025-07-07 17:06
Modified
2025-07-07 17:52
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE
Summary
giscus is a commenting system powered by GitHub Discussions. A bug in giscus' discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits.
References
security-advisories@github.comhttps://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389
security-advisories@github.comhttps://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a
security-advisories@github.comhttps://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3
Impacted products
Vendor Product Version
giscus giscus Version: < c43af7806e65adfcf4d0feeebef76dc36c95cb9a
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53532",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T17:52:34.931217Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T17:52:47.272Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "giscus",
          "vendor": "giscus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c c43af7806e65adfcf4d0feeebef76dc36c95cb9a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "giscus is a commenting system powered by GitHub Discussions. A bug in giscus\u0027 discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T17:06:58.249Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3"
        },
        {
          "name": "https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389"
        },
        {
          "name": "https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a"
        }
      ],
      "source": {
        "advisory": "GHSA-w6vg-v24f-4vm3",
        "discovery": "UNKNOWN"
      },
      "title": "giscus allows unauthorized discussion creation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53532",
    "datePublished": "2025-07-07T17:06:58.249Z",
    "dateReserved": "2025-07-02T15:15:11.514Z",
    "dateUpdated": "2025-07-07T17:52:47.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53532\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-07T17:15:30.533\",\"lastModified\":\"2025-07-08T16:18:34.923\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"giscus is a commenting system powered by GitHub Discussions. A bug in giscus\u0027 discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits.\"},{\"lang\":\"es\",\"value\":\"giscus es un sistema de comentarios impulsado por Discusiones de GitHub. Un error en la API de creaci\u00f3n de discusiones de giscus permiti\u00f3 que un usuario no autorizado creara discusiones en cualquier repositorio donde estuviera instalado. Esto afecta a la parte del servidor de giscus, que se proporciona a trav\u00e9s de http://giscus.app o de un servicio alojado por el usuario. Esta vulnerabilidad se corrige con las confirmaciones c43af7806e65adfcf4d0feeebef76dc36c95cb9a y 4b9745fe1a326ce08d69f8a388331bc993d19389.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"references\":[{\"url\":\"https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53532\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-07T17:52:34.931217Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-07T17:52:39.469Z\"}}], \"cna\": {\"title\": \"giscus allows unauthorized discussion creation\", \"source\": {\"advisory\": \"GHSA-w6vg-v24f-4vm3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"giscus\", \"product\": \"giscus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c c43af7806e65adfcf4d0feeebef76dc36c95cb9a\"}]}], \"references\": [{\"url\": \"https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3\", \"name\": \"https://github.com/giscus/giscus/security/advisories/GHSA-w6vg-v24f-4vm3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389\", \"name\": \"https://github.com/giscus/giscus/commit/4b9745fe1a326ce08d69f8a388331bc993d19389\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a\", \"name\": \"https://github.com/giscus/giscus/commit/c43af7806e65adfcf4d0feeebef76dc36c95cb9a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"giscus is a commenting system powered by GitHub Discussions. A bug in giscus\u0027 discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-07T17:06:58.249Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53532\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-07T17:52:47.272Z\", \"dateReserved\": \"2025-07-02T15:15:11.514Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-07T17:06:58.249Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.