4.3

CVE-2025-24808

Discourse has race condition when adding users to a group DM

Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, someone who is about to reach the limit of users in a group DM may send requests to add new users in parallel. The requests might all go through ignoring the limit due to a race condition. The patch in versions `3.3.4` and `3.4.0.beta5` uses the `lock` step in service to wrap part of the `add_users_to_channel` service inside a distributed lock/mutex in order to avoid the race condition.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse SwEditionstable Version < 3.3.3
DiscourseDiscourse SwEditionbeta Version < 3.4.0
DiscourseDiscourse Version3.4.0 Updatebeta1 SwEditionbeta
DiscourseDiscourse Version3.4.0 Updatebeta2 SwEditionbeta
DiscourseDiscourse Version3.4.0 Updatebeta3 SwEditionbeta
DiscourseDiscourse Version3.4.0 Updatebeta4 SwEditionbeta
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.079
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.1 1.6 1.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://github.com/discourse/discourse/commit/a16b2f224860f6678f89f5ffa012f0ede17e4095
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-hfcx-qjw6-573r
Vendor Advisory