CVE-2025-58055
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-58055, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-01

Last updated on: 2025-10-23

Assigner: GitHub, Inc.

Description

Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-01
Last Modified
2025-10-23
Generated
2026-07-06
AI Q&A
2025-10-01
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse to 3.5.1 (exc)
discourse discourse to 3.6.0 (exc)
discourse discourse 3.6.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Discourse versions 3.5.0 and below involves the AI suggestion endpoints for topic Title, Category, and Tags. Authenticated users could manipulate the topic_id parameter in API requests to access information about restricted topics they were not authorized to see. The AI model would then disclose information about these restricted topics, effectively leaking data to unauthorized users. This issue is fixed in version 3.5.1.

Impact Analysis

The vulnerability allows authenticated users to access and extract information about restricted topics they should not have access to. This could lead to unauthorized disclosure of sensitive or confidential information within the Discourse platform, potentially compromising privacy and security of the community discussions.

Mitigation Strategies

To mitigate this vulnerability immediately, restrict group access to the AI helper feature by configuring the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings. Additionally, upgrade Discourse to version 3.5.1 or later where this issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart