CVE-2025-64528
User Enumeration Vulnerability in Discourse Allows Full Name Disclosure
Publication date: 2025-12-30
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | 2025.12.0 |
| discourse | discourse | 2025.11.0 |
| discourse | discourse | to 3.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-202 | When trying to keep information confidential, an attacker can often infer some of the information by using statistics. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Discourse allows an attacker who knows part of a username to discover the full username and the user's full name via the user interface or API, even when the 'enable_names' setting is disabled. This issue affects versions prior to 3.5.3, 2025.11.1, and 2025.12.0, which contain the fix.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of user information, specifically full usernames and full names, which may compromise user privacy and potentially facilitate further targeted attacks or social engineering.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Discourse to version 3.5.3, 2025.11.1, or 2025.12.0 or later, as these versions contain the fix for this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized disclosure of user real names even when the privacy setting to disable name exposure (`enable_names`) is active. Such unintended exposure of personal information can lead to privacy violations, potentially impacting compliance with data protection regulations like GDPR and HIPAA that require safeguarding personally identifiable information. By allowing attackers to enumerate user identities without privileges or user interaction, the vulnerability undermines privacy controls and could result in non-compliance with these standards. The fix restores proper enforcement of the privacy setting, thereby improving compliance with privacy requirements. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the user search functionality in Discourse to see if user real names are exposed when the `enable_names` setting is disabled. Specifically, you can perform search queries via the UI or API using partial usernames and check if the full name is returned despite `enable_names` being off. To detect this on your system, you can try searching for known partial usernames and observe if the results include real names. Since the issue is in the search query respecting the `enable_names` setting, you can also verify the Discourse version and confirm if it is prior to the fixed versions (3.5.3, 2025.11.1, 2025.12.0). There are no explicit commands provided in the resources, but a practical approach is to use curl or similar HTTP clients to query the Discourse user search API endpoint with partial usernames and inspect the response for real names when `enable_names` is disabled. [3, 1, 2, 4]