CVE-2022-23641

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.8.1 Discourse version 2.9.0.beta2

Description The issue allows users to trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job triggers an infinite loop, which causes memory leaks.

Recommendations For versions prior to 2.8.1, update to version 2.8.1 or later. For version 2.9.0.beta2, update to a version later than 2.9.0.beta2. As a temporary workaround, consider disabling onebox in the admin panel completely or specify an allow list of domains that will be oneboxed.