User Information Disclosure in Discourse Discussion Platform
CVE-2025-64528

6.3MEDIUM

Key Information:

Vendor

Discourse
Status
Discourse
Vendor
CVE Published:
30 December 2025

What is CVE-2025-64528?

A vulnerability exists in the Discourse discussion platform that allows an attacker who has knowledge of part of a username to retrieve the user's full name through either the user interface or API, regardless of the 'enable_names' setting being disabled. This flaw affects versions prior to 3.5.3, 2025.11.1, and 2025.12.0. Users are encouraged to upgrade to the latest versions to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

discourse < 3.5.3 < 3.5.3

discourse >= 2025.11.0-latest, < 2025.11.1 < 2025.11.0-latest, 2025.11.1

discourse >= 2025.12.0-latest, < 2025.12.0 < 2025.12.0-latest, 2025.12.0

References

https://github.com/discourse/discourse/security/advisorie...
x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/1cb45b8b287...
x_refsource_MISC
https://github.com/discourse/discourse/commit/6192f556296...
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.