CVE-2025-32376: 
NixOS vulnerability analysis and mitigation

Discourse, an open-source discussion platform, contains a vulnerability (CVE-2025-32376) that affects versions prior to 3.4.3 on the stable branch and 3.5.0.beta3 on the beta branch. The vulnerability allows bypassing the users limit for Direct Messages (DMs), potentially enabling the creation of DMs with every user from a site (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v4.0 base score of 4.8 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L. The vulnerability is classified under CWE-284 (Improper Access Control). The issue requires low attack complexity and can be exploited over the network, though it requires low privileges and active user interaction (NVD, Wiz).

The primary impact of this vulnerability is the potential to bypass DM user limits, allowing an attacker to create direct messages that include all users on a site. This could lead to availability issues in the system, though there are no direct confidentiality or integrity impacts (GitHub Advisory).

The vulnerability has been patched in stable version 3.4.3 and beta version 3.5.0.beta3. Users are advised to upgrade to these or later versions. No workarounds are available for this vulnerability (GitHub Advisory).