CVE-2025-49845
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-25

Last updated on: 2025-08-25

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-25
Last Modified
2025-08-25
Generated
2026-05-07
AI Q&A
2025-06-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49845
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
discourse discourse to 3.4.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the Discourse platform's 'whispers' feature, which is designed to restrict visibility of certain posts to specific user groups. Due to the flaw, users who have been removed from authorized groups can still see their own whisper posts, bypassing the intended access controls. This issue exists in Discourse versions prior to 3.4.6 on the stable branch and prior to 3.5.0.beta8-dev on the tests-passed branch, and is fixed in those versions and later. [1]


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of confidential information, as users who should no longer have access to certain whisper posts can still view their own whispers. The impact is limited to confidentiality with a low severity rating. There is no impact on system integrity or availability. The attack can be performed remotely without privileges or user interaction. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves identifying if your Discourse instance is running a vulnerable version (prior to 3.4.6 on stable or prior to 3.5.0.beta8-dev on tests-passed). You can check the Discourse version by running the command: `discourse version` or by inspecting the version in the admin dashboard. There are no specific network or system commands provided to detect the vulnerability directly. Monitoring user access to 'whisper' posts and verifying group membership changes may help identify exploitation attempts, but no explicit detection commands are available. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade your Discourse installation to version 3.4.6 or later on the stable branch, or 3.5.0.beta8-dev or later on the tests-passed branch, where the vulnerability is patched. No workarounds are available, so applying the official patch is necessary to resolve the issue. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart