What is the severity of CVE-2025-24808?

CVE-2025-24808 has been classified with a severity rating that indicates a potential risk to user group management in Discourse.

How do I fix CVE-2025-24808?

To mitigate CVE-2025-24808, upgrade to Discourse version 3.3.4 or later for the stable branch, or version 3.4.0.beta5 or later for the beta branch.

What does CVE-2025-24808 affect?

CVE-2025-24808 affects Discourse prior to version 3.3.4 on the stable branch and version 3.4.0.beta5 on the beta branch.

What type of vulnerability is CVE-2025-24808?

CVE-2025-24808 is a vulnerability related to user management in group direct messages on the Discourse platform.

What should I do if I can't upgrade to fix CVE-2025-24808?

If you cannot upgrade, consider implementing rate limiting or monitoring user group requests to prevent abuse until an upgrade is possible.

Vulnerability/
CVE-2025-24808

medium

4.3

CWE

362

26/3/2025

27/3/2025

CVE-2025-24808: Discourse has race condition when adding users to a group DM

First published: Wed Mar 26 2025(Updated: )

Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, someone who is about to reach the limit of users in a group DM may send requests to add new users in parallel. The requests might all go through ignoring the limit due to a race condition. The patch in versions `3.3.4` and `3.4.0.beta5` uses the `lock` step in service to wrap part of the `add_users_to_channel` service inside a distributed lock/mutex in order to avoid the race condition.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse	<3.3.4<3.4.0.beta5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-24808?
CVE-2025-24808 has been classified with a severity rating that indicates a potential risk to user group management in Discourse.
How do I fix CVE-2025-24808?
To mitigate CVE-2025-24808, upgrade to Discourse version 3.3.4 or later for the stable branch, or version 3.4.0.beta5 or later for the beta branch.
What does CVE-2025-24808 affect?
CVE-2025-24808 affects Discourse prior to version 3.3.4 on the stable branch and version 3.4.0.beta5 on the beta branch.
What type of vulnerability is CVE-2025-24808?
CVE-2025-24808 is a vulnerability related to user management in group direct messages on the Discourse platform.
What should I do if I can't upgrade to fix CVE-2025-24808?
If you cannot upgrade, consider implementing rate limiting or monitoring user group requests to prevent abuse until an upgrade is possible.

collector/mitre-cve
source/MITRE
agent/severity
agent/references
agent/weakness
agent/title
agent/source
agent/type
agent/first-publish-date
collector/nvd-api
source/NVD
agent/author
agent/event
agent/last-modified-date
agent/description
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
vendor/discourse
canonical/discourse

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.