Primary

Context

Discourse Denial-of-Service Vulnerability via Malicious URL in Private Message to Bot User

Vulnerability

A denial-of-service vulnerability has been identified in Discourse, an open-source discussion platform. This issue affects versions prior to 3.4.4 of the stable branch, versions through 3.5.0.beta4 of the beta branch, and versions through 3.5.0.beta5-dev of the tests-passed branch. The vulnerability arises when a malicious URL is sent in a private message to a bot user, leading to a reduction in the availability of the Discourse instance.

Impact

Exploitation of this vulnerability causes a significant denial-of-service condition, reducing the availability of the affected Discourse instance.

Remediation

Users can upgrade to Discourse version 3.4.4 or later on the stable branch, version 3.5.0.beta5 or later on the beta branch, or version 3.5.0.beta6-dev on the tests-passed branch.

Added: Jun 9, 2025, 1:23 PM

Updated: Jun 9, 2025, 1:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Denial-of-Service Vulnerability via Malicious URL in Private Message to Bot User

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating