CVE-2025-68659

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0

Description Discourse, an open source discussion platform, is subject to an application-level denial of service. The issue resides in the username change functionality, specifically when handling large JSON payloads sent to the username preference endpoint. Attackers can exploit this by submitting substantial JSON data to the PUT /u//preferences/username API endpoint, causing server delays and resource exhaustion. This can lead to degraded performance for other users and endpoints.

Recommendations Update Discourse to version 3.5.4 or later. Update Discourse to version 2025.11.2 or later. Update Discourse to version 2025.12.1 or later. Update Discourse to version 2026.1.0 or later.