CVE-2025-47288: Discourse Policy plugin private group members visible

3.5 CVSS

Description

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1. A workaround involves moving any policy topics with private groups to restricted categories.

Classification

CVE ID: CVE-2025-47288

CVSS Base Severity: LOW

CVSS Base Score: 3.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: discourse

Product: discourse-policy

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 5.91% (scored less or equal to compared to others)

EPSS Date: 2025-05-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-47288
https://github.com/discourse/discourse-policy/security/advisories/GHSA-jc5r-rm2j-mh4x
https://github.com/discourse/discourse-policy/commit/6b4390fe486408cc86ccea6b091406cfac6c5b8f

Timeline

2025-05-29 20:40:12 UTC
CVE

Discourse Policy plugin private group members visible