CVE-2025-68934
📋 TL;DR
This vulnerability allows authenticated users to submit specially crafted payloads to Discourse's drafts endpoint, causing O(n^2) processing that ties up worker threads for 35-60 seconds per request. This affects all users on vulnerable instances as the shared worker pool becomes exhausted, leading to denial of service. The issue impacts Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to worker pool exhaustion, preventing all legitimate users from accessing the Discourse instance.
Likely Case
Degraded performance and intermittent service disruptions as workers become tied up processing malicious payloads.
If Mitigated
Minimal impact with proper patching and monitoring in place to detect and block attack attempts.
🎯 Exploit Status
Exploitation requires authenticated user credentials but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to Discourse version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. 3. Restart the Discourse service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Reduce max_draft_length
allLower the maximum draft length setting to reduce attack surface (partial mitigation only)
discourse site-setting max_draft_length 1000
🧯 If You Can't Patch
- Implement rate limiting on /drafts.json endpoint
- Monitor for abnormal request patterns to /drafts.json and block suspicious IPs
🔍 How to Verify
Check if Vulnerable:
Check Discourse version against affected versions list. Review logs for slow processing of /drafts.json requests.Check Version:
discourse versionVerify Fix Applied:
Confirm Discourse version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. Test /drafts.json endpoint with various payloads to ensure normal response times.📡 Detection & Monitoring
Log Indicators:
- Slow request processing (35-60 seconds) for POST /drafts.json
- Worker pool exhaustion warnings
- Multiple authenticated users submitting drafts simultaneously
Network Indicators:
- High volume of POST requests to /drafts.json from single or multiple authenticated users
- Increased response times for all Discourse endpoints
SIEM Query:
source="discourse" AND (uri_path="/drafts.json" AND request_time>35000) OR message="worker pool exhausted"