3.3.4: Security and maintenance release

Saif · February 5, 2025, 2:26pm

Discourse 3.3.4 Stable Release

Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.

Security Updates

This release includes fixes for these security issues reported by our community and HackerOne.

XSS via topic titles when CSP disabled (CVE-2024-53266)
Partial DoS via inline oneboxes (CVE-2024-53851)
Potential bypass of chat permissions (CVE-2024-53994)
Users can see other user’s tagged PMs (CVE-2024-56197)
HTMLi(XSS without CSP) via Onebox URLs (CVE-2024-56328)
Stored DOM-based XSS (without CSP) via video placeholders (CVE-2025-22602)
Anonymous cache poisoning via XHR requests (CVE-2024-55948)
Anonymous cache poisoning via request headers (CVE-2025-23023)

Topic	Replies	Views
3.3.2: Security and maintenance release Announcements release-notes	572	October 7, 2024
3.3.3: Security and maintenance release Announcements release-notes	372	December 19, 2024
3.1.5: Security and bug fix release Announcements release-notes	1653	January 30, 2024
3.2.5: Security and bug fix release Announcements release-notes	252	July 30, 2024
3.0.3: Security and bug fix release Announcements release-notes	1027	April 18, 2023

3.3.4: Security and maintenance release

Discourse 3.3.4 Stable Release

Security Updates

Related topics