CVE-2025-24972: 
NixOS vulnerability analysis and mitigation

Discourse, an open-source discussion platform, was found to contain a vulnerability (CVE-2025-24972) that allows users to be added to group direct messages despite having direct messaging disabled in their preferences. This vulnerability affects versions prior to 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch. The issue was disclosed on March 26, 2025 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity and low privileges, needs no user interaction, has unchanged scope, and impacts only integrity with low severity while having no impact on confidentiality or availability (NVD).

The vulnerability allows attackers to bypass user preferences specifically related to direct messaging. Users who have explicitly disabled direct messaging could still be added to group direct messages, potentially receiving unwanted communications and violating their chosen privacy settings (GitHub Advisory).

The issue has been patched in versions 3.3.4 and 3.4.0.beta5. As a workaround, users can disable chat entirely in their preferences to prevent being added to new group chats (GitHub Advisory).