Unrated severityNVD Advisory· Published Nov 2, 2022· Updated Apr 23, 2025

Possible Server-Side Request Forgery (SSRF) in webhooks

CVE-2022-39241

Description

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a workaround, self-hosters can use DISCOURSE_BLOCKED_IP_BLOCKS env var (which overrides blocked_ip_blocks setting) to stop webhooks from accessing private IPs.

Affected products

Discourse (software)/Discoursev5
Range: <= 2.8.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rrmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000