Bypass Vulnerability in Discourse Open-Source Discussion Platform
CVE-2025-32376

4.8MEDIUM

Key Information:

Vendor

Discourse
Status
Discourse
Vendor
CVE Published:
30 April 2025

What is CVE-2025-32376?

The Discourse platform has a security vulnerability that allows users to bypass the limits set for direct messages (DMs). This flaw enables a user to attempt to create a DM that includes every user on the site, potentially leading to privacy and security concerns. The vulnerability affects versions prior to 3.4.3 for the stable branch and 3.5.0.beta3 for the beta branch. Users are advised to upgrade to the patched versions to safeguard against this issue. Detailed information can be found in the security advisories linked in the references.

Affected Version(s)

discourse < 3.4.3 < 3.4.3

discourse >= 3.5.0.beta1, < 3.5.0.beta3 < 3.5.0.beta1, 3.5.0.beta3

References

https://github.com/discourse/discourse/security/advisorie...
x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/21a7f316222...
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-32376 : Bypass Vulnerability in Discourse Open-Source Discussion Platform