Discourse Denial-of-Service Vulnerability in Drafts Creation Endpoint

A denial-of-service vulnerability has been identified in Discourse, an open-source discussion platform, affecting versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The issue arises when authenticated users submit crafted payloads to the /drafts.json endpoint. These payloads cause O(n^2) processing delays in the Base62.decode function, tying up server workers for 35 to 60 seconds per request. This slowdown exhausts the shared worker pool, impacting all users. While lowering the max_draft_length site setting can reduce the attack surface, it does not fully mitigate the issue, as payloads under the limit can still exploit the vulnerability.

Impact

Exploitation of this vulnerability leads to a significant denial-of-service condition, where the shared worker pool becomes exhausted, causing delays and disruptions for all users on the platform.

Remediation

Users can update to Discourse versions 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 to address this vulnerability. Additionally, lowering the max_draft_length site setting can reduce the attack surface, although it does not completely eliminate the risk.