CVE-2025-64528 | THREATINT

Description

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix.

PUBLISHED Reserved 2025-11-05 | Published 2025-12-30 | Updated 2025-12-30 | Assigner GitHub_M

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-202: Exposure of Sensitive Information Through Data Queries

Product status

< 3.5.3

affected

>= 2025.11.0-latest, < 2025.11.1

affected

>= 2025.12.0-latest, < 2025.12.0

affected

References

github.com/...course/security/advisories/GHSA-c59w-jwx7-34v4

github.com/...ommit/1cb45b8b287597085e3514596ffb1d9b41938f81

github.com/...ommit/6192f55629624925595dae14364fd86cac0f09df

github.com/...ommit/e936a523b5900a9d866d23ea3da904ba12bb0fb2

cve.org (CVE-2025-64528)

nvd.nist.gov (CVE-2025-64528)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.

help @ threatint.eu