CVE-2025-68659
📋 TL;DR
Discourse versions before 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application-level denial of service vulnerability in the username change functionality. Attackers can send large JSON payloads to the username preference endpoint, causing server delays and resource exhaustion that degrades performance for all users. This affects all Discourse instances running vulnerable versions.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, affecting all endpoints and users on the Discourse instance.
Likely Case
Noticeable performance degradation and server delays affecting multiple users and endpoints.
If Mitigated
Minimal impact with proper rate limiting, input validation, and resource monitoring in place.
🎯 Exploit Status
Requires authenticated access to the username change endpoint. Simple to exploit by sending large JSON payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 using your deployment method (Docker, manual, etc.). 3. Restart the application. 4. Verify the update was successful.
🔧 Temporary Workarounds
Rate Limiting
allImplement rate limiting on the PUT /u//preferences/username endpoint to restrict request frequency and size.
Configure rate limiting in your reverse proxy (nginx/apache) or application firewall
Input Validation
allAdd middleware to validate and limit JSON payload size before processing.
Implement request size limits in your web server configuration
🧯 If You Can't Patch
- Implement strict rate limiting and request size limits on the vulnerable endpoint
- Monitor server resources and set up alerts for abnormal CPU/memory usage patterns
🔍 How to Verify
Check if Vulnerable:
Check your Discourse version against affected versions. If running a version before 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0, you are vulnerable.Check Version:
docker exec discourse cat /app/VERSION # For Docker deployments, or check admin panelVerify Fix Applied:
Confirm your Discourse version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or later.📡 Detection & Monitoring
Log Indicators:
- Unusually large request sizes to PUT /u/*/preferences/username
- Increased response times for username change requests
- High CPU/memory usage correlated with username change attempts
Network Indicators:
- Large JSON payloads (multiple MB+) sent to username endpoint
- Multiple rapid requests to username change endpoint from single IP
SIEM Query:
source="discourse-logs" AND (uri_path="/u/*/preferences/username" AND request_size>1000000) OR (uri_path="/u/*/preferences/username" AND response_time>5000)