CVE-2025-24808

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.3.4 on the stable branch and prior to 3.4.0.beta5 on the beta branch

Description The issue affects an open-source discussion platform, where a race condition allows someone about to reach the user limit in a group DM to send parallel requests to add new users, potentially bypassing the limit. This is due to a lack of proper synchronization. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. The technical details of the issue involve the add users to channel service, which is vulnerable to a race condition. The fix involves using a distributed lock/mutex to wrap part of this service.

Recommendations For versions prior to 3.3.4 on the stable branch, update to version 3.3.4 or later. For versions prior to 3.4.0.beta5 on the beta branch, update to version 3.4.0.beta5 or later. As a temporary workaround, consider restricting the ability to send parallel requests to add new users to a group DM until a patch is applied.