PT-2025-24431 · Discourse · Discourse
Theteatoast
·
Published
2025-06-09
·
Updated
2025-07-10
·
CVE-2025-48053
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.4.4
Discourse version 3.5.0.beta5 and earlier of the
beta branch
Discourse version 3.5.0.beta6-dev and earlier of the tests-passed branchDescription
Discourse is an open-source discussion platform. Sending a malicious URL in a private message to a bot user can cause reduced availability of a Discourse instance.
Recommendations
For versions prior to 3.4.4, update to version 3.4.4 or later of the
stable branch.
For version 3.5.0.beta5 and earlier of the beta branch, update to version 3.5.0.beta5 or later.
For version 3.5.0.beta6-dev and earlier of the tests-passed branch, update to version 3.5.0.beta6-dev or later.
As a temporary workaround, consider restricting the ability to send private messages to bot users until the issue is resolved.Exploit
Fix
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Discourse