Login Sign Up

CVE-2025-64528

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Discourse allows attackers to discover users' full names even when the 'enable_names' setting is disabled, by using partial username knowledge through UI or API. It affects Discourse instances running versions before 3.5.3, 2025.11.1, and 2025.12.0. This exposes user privacy and could facilitate targeted attacks.

💻 Affected Systems

Products:
  • Discourse
Versions: All versions prior to 3.5.3, 2025.11.1, and 2025.12.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Discourse deployments regardless of configuration when 'enable_names' is disabled.

📦 What is this software?

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could deanonymize users, enabling targeted social engineering, harassment, or doxxing campaigns against specific individuals.

🟠

Likely Case

Privacy violation where attackers can link partial usernames to real identities, potentially compromising user anonymity.

🟢

If Mitigated

Limited impact if usernames are already public or if user base is small and known, but privacy expectations are still violated.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only partial username knowledge and can be done via UI or API without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.3, 2025.11.1, or 2025.12.0

Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4

Restart Required: Yes

Instructions:

1. Backup your Discourse instance. 2. Update to Discourse version 3.5.3, 2025.11.1, or 2025.12.0 using your deployment method (Docker, manual, etc.). 3. Restart the Discourse service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Enable Names Setting

linux

Temporarily enable the 'enable_names' setting to make full names publicly visible, eliminating the information disclosure aspect.

cd /var/discourse
./launcher enter app
rails c
SiteSetting.enable_names = true

🧯 If You Can't Patch

  • Implement rate limiting on user search endpoints to make enumeration more difficult
  • Monitor logs for unusual patterns of user search queries from single IPs

🔍 How to Verify

Check if Vulnerable:

Check Discourse version via admin panel or run: cd /var/discourse && ./launcher enter app && cat /usr/src/app/VERSION

Check Version:

cd /var/discourse && ./launcher enter app && cat /usr/src/app/VERSION

Verify Fix Applied:

After patching, test that partial username searches no longer return full names when 'enable_names' is disabled.

📡 Detection & Monitoring

Log Indicators:

  • Unusual volume of user search requests
  • Patterns of sequential username guessing attempts

Network Indicators:

  • High frequency of requests to /u/search endpoints
  • API calls with partial username parameters

SIEM Query:

source="discourse.logs" AND (uri_path="/u/search" OR message="user search") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-64528
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-202
Published: December 30, 2025
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64528, you might also want to check these:

CVE-2025-68456 9.1

Unauthenticated attackers can trigger database backup operations in vulnerable Craft CMS versions, p...

Same vulnerability type (CWE-202)
CVE-2021-32743 8.8

Icinga 2 monitoring system exposes sensitive credentials (database, Redis, Elasticsearch passwords) ...

Same vulnerability type (CWE-202)
CVE-2025-25205 8.2

A vulnerability in Audiobookshelf versions 2.17.0 through 2.19.0 allows unauthenticated attackers to...

Same vulnerability type (CWE-202)