CVE-2025-46813
📋 TL;DR
This CVE describes a data leak vulnerability in Discourse where unauthenticated users could view private content on the homepage of login-required sites. Only sites deployed between specific commits on April 30-May 2, 2025 are affected, and stable branch sites are not vulnerable.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Sensitive private content intended only for authenticated users becomes publicly accessible, potentially exposing confidential discussions, user data, or proprietary information.
Likely Case
Limited exposure of homepage content to unauthenticated visitors, potentially revealing recent discussions, topics, or metadata that should remain private.
If Mitigated
With proper access controls and monitoring, the exposure window is limited to 48 hours and only affects specific deployment windows.
🎯 Exploit Status
Exploitation requires no authentication and involves simply accessing the homepage of affected login-required sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9
Restart Required: Yes
Instructions:
1. Upgrade Discourse to a version after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. 2. Restart the Discourse application. 3. Verify the fix by checking that unauthenticated users cannot view homepage content on login-required sites.
🧯 If You Can't Patch
- Temporarily disable the site or restrict access via network controls.
- Implement additional authentication layer at the web server level.
🔍 How to Verify
Check if Vulnerable:
Check deployment commit hash against affected range: 10df7fdee060d44accdee7679d66d778d1136510 to 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. Test if unauthenticated users can view homepage content on login-required sites.Check Version:
git log --oneline -1Verify Fix Applied:
Confirm deployment is using a commit after 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. Test that unauthenticated users cannot access homepage content on login-required sites.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to homepage returning 200 OK on login-required sites
- Increased traffic from unauthenticated IPs to homepage
Network Indicators:
- Unauthenticated HTTP GET requests to root path (/) on login-required sites
SIEM Query:
source="discourse_logs" AND status=200 AND path="/" AND authenticated=false