Description
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, crafting requests to submit very long tag group names can reduce the availability of a Discourse instance. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-4j6h-9pjp-5476
Patch x_refsource_misc
https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210
Scores
CVSS v3
4.9
EPSS
0.0061
EPSS Percentile
69.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
discourse/discourse
3.3.0 beta1 (4 CPE variants)
discourse/discourse
< 3.2.5
Published
Jul 30, 2024
Tracked Since
Feb 18, 2026