CVE-2025-68662 — FinalDestination hostname matching allows SSRF protection bypass

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

How to fix CVE-2025-68662

To remediate CVE-2025-68662, upgrade the affected package to a fixed version below.

—upgrade to 3.5.4 or later

Is CVE-2025-68662 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (2)

WEBgithub.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c
WEBnvd.nist.gov/vuln/detail/CVE-2025-68662