Race Condition Vulnerability in Discourse Open-Source Discussion Platform
CVE-2025-24808
4.3MEDIUM
Summary
Discourse, an open-source discussion platform, contains a vulnerability that allows users to exploit a race condition when approaching the limit of users in a group direct message (DM). Attackers can send parallel requests to add new users, potentially exceeding the established limits. This flaw was addressed in versions 3.3.4 and 3.4.0.beta5, which integrated a locking mechanism within the 'add_users_to_channel' service to mitigate the issue effectively.
Affected Version(s)
discourse < 3.3.4 < 3.3.4
discourse >= 3.4.0.beta1, < 3.4.0.beta5 < 3.4.0.beta1, 3.4.0.beta5
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved