CVE-2025-49845
📋 TL;DR
Discourse users on vulnerable versions can continue to view their own 'whisper' posts even after being removed from groups with whisper permissions. This creates an information disclosure vulnerability where users retain access to sensitive content they should no longer see. Only affects Discourse installations with whisper functionality enabled.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Former privileged users maintain persistent access to sensitive whisper conversations containing confidential information, intellectual property, or private discussions.
Likely Case
Users who change roles or leave privileged groups can still access historical whisper posts they created or participated in, violating intended access controls.
If Mitigated
With proper group management and regular access reviews, impact is limited to historical data access rather than ongoing information leakage.
🎯 Exploit Status
Exploitation requires authenticated user access and previous participation in whisper conversations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Stable: 3.4.6; Tests-passed: 3.5.0.beta8-dev
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-79qw-r73r-69gf
Restart Required: Yes
Instructions:
1. Backup your Discourse installation and database. 2. Update to Discourse 3.4.6 (stable) or 3.5.0.beta8-dev (tests-passed). 3. Restart the Discourse application. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable whisper functionality
allRemove all groups from 'whispers_allowed_groups' site setting to disable whisper posts entirely
UPDATE site_settings SET value = '' WHERE name = 'whispers_allowed_groups';
🧯 If You Can't Patch
- Implement strict group membership reviews and immediately remove users from whisper groups when access is no longer needed
- Monitor user activity logs for unusual access patterns to whisper posts by users not in allowed groups
🔍 How to Verify
Check if Vulnerable:
Check Discourse version via admin panel or run: `cd /var/discourse && ./launcher status app`Check Version:
cd /var/discourse && cat containers/app.yml | grep DISCOURSE_VERSIONVerify Fix Applied:
Confirm version is 3.4.6 or higher (stable) or 3.5.0.beta8-dev or higher (tests-passed)📡 Detection & Monitoring
Log Indicators:
- Users accessing whisper posts after group membership changes
- Access logs showing whisper post views by users not in whispers_allowed_groups
Network Indicators:
- API calls to whisper endpoints by unauthorized users
SIEM Query:
source="discourse_logs" AND (event="view_post" AND post_type="whisper") | join user_id NOT IN (SELECT user_id FROM group_users WHERE group_id IN (whispers_allowed_groups))