CVE-2025-24972 – Discourse users who disabled direct messaging i... (How to Fix)

📋 TL;DR

Discourse users who disabled direct messaging in their preferences could still be added to group direct messages in specific circumstances. This affects Discourse instances running vulnerable versions, allowing unauthorized group chat participation despite user preferences.

💻 Affected Systems

Products:

Discourse

Versions: All versions prior to 3.3.4 on stable branch and prior to 3.4.0.beta5 on beta branch

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances where users have disabled chat in their preferences

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users who explicitly disabled direct messaging for privacy or security reasons could be forced into group conversations, potentially exposing sensitive communications or violating user consent.

🟠

Likely Case

Users who disabled chat preferences are added to group direct messages they didn't consent to, violating their privacy settings and potentially exposing them to unwanted communications.

🟢

If Mitigated

With proper controls, users maintain control over their direct messaging preferences and cannot be added to group chats without consent.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated user access to add users to group chats

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.4 (stable) or 3.4.0.beta5 (beta)

Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-4p63-qw6g-4mv2

Restart Required: Yes

Instructions:

1. Update Discourse to version 3.3.4 or higher on stable branch
2. Or update to 3.4.0.beta5 or higher on beta branch
3. Restart the Discourse application

🔧 Temporary Workarounds

User Preference Enforcement

all

If a user disables chat in their preferences, they cannot be added to new group chats

🧯 If You Can't Patch

Educate users to manually leave any unwanted group direct messages
Monitor group chat participation for users who have disabled chat preferences

🔍 How to Verify

Check if Vulnerable:

Check Discourse version via admin panel or by examining the application version

Check Version:

Check admin panel or run: `RAILS_ENV=production bundle exec rails runner 'puts Discourse::VERSION::STRING'`

Verify Fix Applied:

Confirm Discourse version is 3.3.4 or higher (stable) or 3.4.0.beta5 or higher (beta)

📡 Detection & Monitoring

Log Indicators:

Users being added to group direct messages despite having chat disabled in preferences

Network Indicators:

Group direct message creation events involving users with disabled chat preferences

SIEM Query:

search 'user added to group direct message' AND 'user chat preference disabled'

📊 Metadata

CVE ID: CVE-2025-24972

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.14% exploit probability (33.5th percentile)

Published: March 26, 2025

Last Updated: August 25, 2025

🔗 References

https://github.com/discourse/discourse/security/advisories/GHSA-4p63-qw6g-4mv2 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24972, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Discourse by Discourse

Discourse by Discourse

Discourse by Discourse

Discourse by Discourse

Discourse by Discourse

Discourse by Discourse

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

User Preference Enforcement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities