Race Condition Vulnerability in Discourse Open-Source Discussion Platform
CVE-2025-24808

4.3MEDIUM

Key Information:

Vendor
Discourse
Status
Vendor
CVE Published:
26 March 2025

Summary

Discourse, an open-source discussion platform, contains a vulnerability that allows users to exploit a race condition when approaching the limit of users in a group direct message (DM). Attackers can send parallel requests to add new users, potentially exceeding the established limits. This flaw was addressed in versions 3.3.4 and 3.4.0.beta5, which integrated a locking mechanism within the 'add_users_to_channel' service to mitigate the issue effectively.

Affected Version(s)

discourse < 3.3.4 < 3.3.4

discourse >= 3.4.0.beta1, < 3.4.0.beta5 < 3.4.0.beta1, 3.4.0.beta5

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.