PT-2025-12891 · Discourse · Discourse

Published

2025-03-26

Updated

2025-03-28

CVE-2025-24972

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.3.4 Discourse versions prior to 3.4.0.beta5

Description The issue affects Discourse, an open-source discussion platform, where users could be added to group direct messages despite disabling direct messaging in their preferences under specific circumstances.

Recommendations For versions prior to 3.3.4, update to version 3.3.4 or later to resolve the issue. For versions prior to 3.4.0.beta5, update to version 3.4.0.beta5 or later to resolve the issue. As a temporary workaround, consider disabling chat in user preferences to prevent being added to new group chats.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BIT-DISCOURSE-2025-24972

CVE-2025-24972

GHSA-4P63-QW6G-4MV2

Affected Products

Discourse

PT-2025-12891 · Discourse · Discourse

CVE-2025-24972

Weakness Enumeration

Related Identifiers

Affected Products

References · 7