CVE-2025-64528 is a vulnerability in Discourse
Published on December 30, 2025
Users are able to find users by name even when `enable_names` is off
Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix.
Weakness Type
Exposure of Sensitive Information Through Data Queries
When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
Products Associated with CVE-2025-64528
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version < 3.5.3 is affected.
- Version >= 2025.11.0-latest, < 2025.11.1 is affected.
- Version >= 2025.12.0-latest, < 2025.12.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.