CVE-2025-68934

Summary

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path.

Affected Software

VendorProductVersion RangeStatus
discoursediscourse< 3.5.4affected
discoursediscourse>= 2025.11.0-latest, < 2025.11.2affected
discoursediscourse>= 2025.12.0-latest, 2025.12.1affected
discoursediscourse>= 2026.1.0-latest, < 2026.1.0affected

Weaknesses

  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References