CVE-2025-68934

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0

Description Discourse is an open source discussion platform. Authenticated users can submit crafted payloads to the /drafts.json API endpoint that cause inefficient processing in the Base62.decode function. This results in a denial-of-service condition, tying up workers for 35-60 seconds per request and impacting all users due to exhaustion of the shared worker pool. The issue stems from O(n^2) complexity in the decoding process. Lowering the max draft length site setting reduces the attack surface but does not fully resolve the problem, as payloads under the limit can still trigger the slow code path.

Recommendations Update Discourse to version 3.5.4 or later. Update Discourse to version 2025.11.2 or later. Update Discourse to version 2025.12.1 or later. Update Discourse to version 2026.1.0 or later.