CVE-2024-37299
📋 TL;DR
This vulnerability in Discourse allows attackers to submit extremely long tag group names in requests, which can cause resource exhaustion and reduce the availability of the platform. It affects all Discourse instances running vulnerable versions. The impact is a denial-of-service condition that makes the platform temporarily unavailable.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for all users due to resource exhaustion, requiring manual intervention to restore service.
Likely Case
Temporary performance degradation or service interruption affecting some users until the malicious request is processed or times out.
If Mitigated
Minimal impact with proper input validation and resource limits in place.
🎯 Exploit Status
Exploitation requires authenticated access to submit tag groups, but the technique is simple - crafting requests with extremely long tag group names.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.5 or 3.3.0.beta5
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-4j6h-9pjp-5476
Restart Required: Yes
Instructions:
1. Update Discourse to version 3.2.5 or 3.3.0.beta5. 2. Restart the Discourse application. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Rate limiting on tag group submissions
allImplement rate limiting on requests that create or modify tag groups to prevent rapid exploitation attempts.
Configure rate limiting in your reverse proxy (nginx/apache) or application firewall
Input validation at proxy layer
linuxAdd request size limits and input validation at the web server or reverse proxy level.
nginx: client_max_body_size 1m;
apache: LimitRequestBody 1048576
🧯 If You Can't Patch
- Implement strict input validation to reject tag group names exceeding reasonable length limits
- Deploy a WAF (Web Application Firewall) with rules to detect and block requests with abnormally long parameter values
🔍 How to Verify
Check if Vulnerable:
Check Discourse version: if running version earlier than 3.2.5 or 3.3.0.beta5, the system is vulnerable.Check Version:
cd /var/discourse && ./launcher status app | grep -i versionVerify Fix Applied:
After updating, verify the version is 3.2.5 or higher, or 3.3.0.beta5 or higher, and test that submitting long tag group names is properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusually long parameter values in POST requests to tag group endpoints
- Multiple failed requests with large payloads
- Increased memory or CPU usage from Discourse processes
Network Indicators:
- HTTP POST requests with abnormally large content-length headers to /tag_groups endpoints
- Repeated requests to tag management endpoints from single IPs
SIEM Query:
source="discourse.logs" AND (uri_path="/tag_groups" OR uri_path="/admin/tags") AND content_length>1000000🔗 References
- https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210
- https://github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16e
- https://github.com/discourse/discourse/security/advisories/GHSA-4j6h-9pjp-5476
- https://github.com/discourse/discourse/commit/188cb58daa833839c54c266ce22db150a3f3a210
- https://github.com/discourse/discourse/commit/76f06f6b1491db6bd09a4017d2c5591431b3b16e
- https://github.com/discourse/discourse/security/advisories/GHSA-4j6h-9pjp-5476
