Login Sign Up

CVE-2023-48297

8.6 HIGH
Denial of Service

📋 TL;DR

Discourse's message serializer mishandles expanded chat mentions (@all and @here), creating excessively large user arrays that can cause denial of service. This affects all Discourse instances running vulnerable versions, potentially disrupting community discussions.

💻 Affected Systems

Products:
  • Discourse
Versions: All versions before 3.1.4 and beta versions before 3.2.0.beta5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Discourse installations with chat functionality enabled are vulnerable.

📦 What is this software?

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion from processing massive user arrays, leading to extended downtime.

🟠

Likely Case

Performance degradation or temporary service interruptions when @all/@here mentions are used in large communities.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits, though potential for brief performance issues remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access to post messages with @all or @here mentions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.4 or 3.2.0.beta5

Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-hf2v-r5xm-8p37

Restart Required: Yes

Instructions:

1. Backup your Discourse instance. 2. Update to Discourse version 3.1.4 or later. 3. Restart the application server. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable @all and @here mentions

all

Temporarily disable the expanded mention functionality to prevent exploitation.

Edit site settings to disable @all and @here mentions in chat

🧯 If You Can't Patch

  • Implement rate limiting on chat message posting
  • Monitor system resources and set alerts for abnormal memory/CPU usage

🔍 How to Verify

Check if Vulnerable:

Check Discourse version via admin panel or run: `cd /var/discourse && ./launcher status app`

Check Version:

cd /var/discourse && cat containers/app.yml | grep DISCOURSE_VERSION

Verify Fix Applied:

Confirm version is 3.1.4 or higher, or 3.2.0.beta5 or higher for beta installations.

📡 Detection & Monitoring

Log Indicators:

  • Unusually large memory consumption spikes
  • Application errors related to message serialization

Network Indicators:

  • Increased response times for chat endpoints
  • Timeout errors on message posting

SIEM Query:

source="discourse_logs" AND ("@all" OR "@here") AND memory_usage > threshold

📊 Metadata

CVE ID: CVE-2023-48297
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-400
Published: January 12, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48297, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)