How to fix CVE-2025-49845?

Within 24 hours: Inventory all Discourse instances and confirm versions against 3.4.6 (stable) and 3.5.0.beta8-dev (tests-passed) thresholds; notify stakeholders of potential exposure. Within 7 days: Apply available patches to all instances; if running unsupported versions, plan emergency upgrades. Within 30 days: Audit whisper group membership changes and review access logs for users who lost permissions to identify any potential data exfiltration.

Is Discourse affected by CVE-2025-49845?

Discourse instances running unpatched versions allow users to retain access to their own private whisper posts even after administrators revoke their group permissions, creating an unintended information disclosure risk.

CVE-2025-49845

EUVD-2025-19108 HIGH

2025-06-25 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19108

CVE Published

Jun 25, 2025 - 16:15 nvd

HIGH 7.5

Description

Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.

Analysis

Discourse versions prior to 3.4.6 (stable) and 3.5.0.beta8-dev (tests-passed) contain an information disclosure vulnerability where users retain visibility of their own whisper-typed posts even after losing group membership that should restrict access to whispers. This is a logic flaw in the whisper visibility enforcement mechanism (CWE-200: Information Exposure) affecting unauthenticated network access with high confidentiality impact. No public exploitation has been reported, but the issue is easily discoverable through normal platform usage.

Technical Context

Discourse is an open-source discussion platform that implements a whisper post type—a feature allowing posts visible only to specified groups via the `whispers_allowed_groups` site setting. The vulnerability stems from insufficient visibility control logic (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) where the authorization check fails to properly enforce group membership restrictions on historical whisper posts owned by the user. The root cause appears to be a gap in re-evaluating post visibility permissions when group membership changes, allowing users to retain access to previously authored whispers despite no longer belonging to authorized groups. The affected products are Discourse instances (CPE pattern: cpe:2.3:a:discourse:discourse:*) running versions 3.4.x prior to 3.4.6 and 3.5.0.beta versions prior to beta8-dev.

Affected Products

Discourse (Stable Branch) (< 3.4.6); Discourse (Tests-Passed Branch) (< 3.5.0.beta8-dev)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-49845 vulnerability details – vuln.today

Back

CVE-2025-49845

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-49845

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code