CVE-2022-23548
MEDIUMDiscourse < 2.8.14 - Regular Expression Denial of Service
Title source: llmDescription
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://github.com/discourse/discourse/pull/19737
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf
Scores
CVSS v3
6.5
EPSS
0.0073
EPSS Percentile
49.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1333
Status
published
Products (3)
discourse/discourse
2.9.0 beta1 (13 CPE variants)
discourse/discourse
3.0.0 beta15
discourse/discourse
< 2.8.14
Published
Jan 05, 2023
Tracked Since
Feb 18, 2026