CVE-2025-46813 Overview
CVE-2025-46813 is an information disclosure vulnerability in Discourse, the open-source community platform. The flaw affects login-required sites that were deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. During this window, the homepage route exposed private content to unauthenticated users instead of redirecting them to the login screen. Sites tracking the stable branch are not affected. The vulnerability is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Unauthenticated network attackers can view homepage content intended only for authenticated users on Discourse login-required sites deployed during the affected window.
Affected Products
- Discourse 3.5.0.beta1
- Discourse 3.5.0.beta2
- Discourse 3.5.0.beta3
- Discourse 3.5.0.beta4 builds before commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b
Discovery Timeline
- 2025-05-05 - CVE-2025-46813 published to NVD
- 2025-09-26 - Last updated in NVD database
Technical Details for CVE-2025-46813
Vulnerability Analysis
Discourse supports a deployment mode called login-required, where all content must be hidden from unauthenticated visitors until they sign in. A development change introduced in commit 10df7fdee060d44accdee7679d66d778d1136510 (#32350) altered the homepage routing so that the login-required screen could render through the root route. The change inadvertently allowed homepage content to be served alongside the login-required screen for unauthenticated visitors. The result was an information leak: private homepage data became visible without authentication on affected deployments.
The issue only impacts sites deployed during a narrow window, roughly between noon EDT on April 30, 2025 and noon EDT on May 2, 2025. Stable branch installations never received the offending commit. The flaw is purely a data exposure issue and does not impact integrity or availability of the platform.
Root Cause
The root cause is a routing logic change in homepage-router-overrides.js that added /login-required as a valid intent URL prefix, combined with a new LoginRequiredController in app/controllers/discovery/login-required.js. Together these changes caused homepage content to be evaluated and rendered during the login-required transition, bypassing the gating that normally hides content from anonymous users.
Attack Vector
An unauthenticated remote attacker requests the root URL of a vulnerable Discourse instance configured as login-required. Instead of receiving only the login prompt, the response includes homepage content that should require authentication. No special tooling, credentials, or user interaction is required.
// Patch: introduction of LoginRequiredController (later reverted as fix)
// File: app/assets/javascripts/discourse/app/controllers/discovery/login-required.js
import Controller, { inject as controller } from "@ember/controller";
export default class LoginRequiredController extends Controller {
@controller application;
}
// Patch: router override that added the vulnerable intent URL match
// File: app/assets/javascripts/discourse/app/lib/homepage-router-overrides.js
const intentUrl = transition?.intent?.url;
if (
intentUrl?.startsWith(homepageDestination()) ||
intentUrl?.startsWith("/login-required") ||
(transition?.intent.name === `discovery.${defaultHomepage()}` &&
transition?.intent.queryParams[homepageRewriteParam])
) {
// homepage logic executed during login-required transitions
}
// Source: https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510
// Reverted in: https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b
Detection Methods for CVE-2025-46813
Indicators of Compromise
- Unauthenticated HTTP GET requests to / or /login-required returning topic titles, category lists, or other homepage data on sites where the login_required site setting is enabled.
- Anonymous user-agent traffic to the Discourse root route logged between April 30, 2025 and May 2, 2025 against an instance that was redeployed in that window.
- Search engine cache entries or external archives containing snapshots of a login-required Discourse instance's homepage content.
Detection Strategies
- Compare the Discourse deployment commit hash against the vulnerable range bounded by 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b.
- Issue an unauthenticated request to the site root and inspect the response body for topic, category, or user content that should be gated.
- Review web server and reverse proxy logs for 200-status responses to anonymous clients on / during the affected timeframe.
Monitoring Recommendations
- Alert on anomalous anonymous traffic volume to Discourse homepage endpoints on instances configured with login_required.
- Enable response-size monitoring on / for unauthenticated sessions and flag responses exceeding the expected login-required template size.
- Track Discourse upgrade and redeploy events through change management to correlate exposure windows with vulnerable commits.
How to Mitigate CVE-2025-46813
Immediate Actions Required
- Upgrade Discourse to a version of 3.5.0.beta4 built after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b, or move to the stable branch which is unaffected.
- Audit web access logs from the April 30 to May 2, 2025 window for unauthenticated requests to the homepage and assess what content was exposed.
- Rotate any sensitive content, invite links, or pinned posts that may have been visible from the homepage during the exposure window.
Patch Information
The issue was resolved by reverting the problematic routing change. See the GitHub Security Advisory GHSA-v3h7-c287-pfg9 and the reverting commit 82d84af6. Operators must upgrade; no configuration-level fix is available.
Workarounds
- No workarounds are available per the vendor advisory; upgrading to a non-vulnerable Discourse build is the only remediation.
- As a compensating control until upgrade, place the Discourse instance behind a reverse proxy or WAF that requires authentication before serving the root path.
# Example: upgrade a Discourse instance running the official Docker setup
cd /var/discourse
git pull
./launcher rebuild app
# Verify the deployed commit is at or after the fix
docker exec app bash -c "cd /var/www/discourse && git rev-parse HEAD"
# Expected: 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
