CVE-2025-24972 in Discourse
Summary
by MITRE • 03/26/2025
Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions `3.3.4` and `3.4.0.beta5` contain a patch for the issue. A workaround is available. If a user disables chat in their preferences then they cannot be added to new group chats.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/26/2025
This vulnerability affects Discourse, an open-source discussion platform, where users with disabled direct messaging preferences could still be inadvertently added to group direct messages under specific conditions. The flaw exists in the platform's group messaging authorization logic, creating a privilege escalation scenario where user preference settings are bypassed. This represents a critical privacy and security concern as it violates user consent and preference configurations that are fundamental to user control over their communication experience. The vulnerability specifically impacts versions prior to 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch, indicating a regression or oversight in the authorization implementation that allows unauthorized group membership additions despite explicit user preferences.
The technical root cause stems from insufficient validation of user preference settings during group direct message creation operations. When a user disables direct messaging in their preferences, the system should enforce this restriction across all group messaging scenarios. However, the flaw allows for group chat invitations to bypass this check, potentially enabling unauthorized communication with users who explicitly opted out of direct messaging. This issue aligns with CWE-693 - Protection Mechanism Failure, where a security control mechanism fails to properly enforce access restrictions. The vulnerability demonstrates a breakdown in the principle of least privilege, where user-defined privacy controls are not consistently enforced throughout the application's messaging functionality.
The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential abuse scenarios including harassment, unwanted communication, and violation of user trust. Attackers or malicious actors could exploit this weakness to force unwanted group chat participation, effectively circumventing user privacy settings that are meant to protect individuals from unsolicited direct messages. This creates a vector for social engineering attacks where users might be added to group conversations without their knowledge or consent, potentially exposing them to spam, phishing attempts, or other malicious activities. The vulnerability could also undermine user confidence in the platform's security model and privacy protections, leading to reputational damage and potential regulatory compliance issues.
Security mitigations for this vulnerability involve implementing proper access control validation during group message creation processes, ensuring that user preference settings are consistently enforced regardless of the messaging context. The patched versions include necessary code modifications that validate user preference states before allowing group membership additions, effectively restoring the intended security controls. Organizations should immediately upgrade to the patched versions 3.3.4 or 3.4.0.beta5 to remediate the issue, as the workaround of disabling chat preferences provides only temporary protection. The fix should be accompanied by comprehensive testing of messaging authorization flows and user preference enforcement mechanisms. This vulnerability highlights the importance of maintaining consistent security controls across all application modules and demonstrates how seemingly minor authorization gaps can create significant privacy and security risks in communication platforms. The issue also underscores the necessity of regular security reviews and testing of user preference enforcement mechanisms to prevent similar regressions in the future.