SB2025032722 - Multiple vulnerabilities in Discourse

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2025-24808)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a race condition when adding users to a group DM. A remote user can exploit the race and send requests to add new users in parallel ignoring the limit.

2) Improper access control (CVE-ID: CVE-2025-24972)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass user preference when adding users to chat groups.

Remediation

Install update from vendor's website.

References

• https://github.com/discourse/discourse/commit/a16b2f224860f6678f89f5ffa012f0ede17e4095
• https://github.com/discourse/discourse/security/advisories/GHSA-hfcx-qjw6-573r
• https://github.com/discourse/discourse/security/advisories/GHSA-4p63-qw6g-4mv2