Unrated severityNVD Advisory· Published Feb 15, 2022· Updated Apr 23, 2025

Denial of Service in Discourse

CVE-2022-23641

Description

Discourse is an open source discussion platform. In versions prior to 2.8.1 in the stable branch, 2.9.0.beta2 in the beta branch, and 2.9.0.beta2 in the tests-passed branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the stable branch, 2.9.0.beta2 of the beta branch, and 2.9.0.beta2 of the tests-passed branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.

Affected products

Discourse (software)/Discoursev5
Range: stable <= 2.8.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/a34075d205a8857e29574ffd82aaece0c467565emitrex_refsource_MISC
github.com/discourse/discourse/pull/15927mitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-22xw-f62v-cfxvmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000