CVE-2022-23641 MEDIUM

CVE-2022-23641: Denial of Service in Discourse

Vendor Discourse

Product discourse

Weakness CWE-835

Published February 15, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Discourse is an open source discussion platform. In versions prior to 2.8.1 in the `stable` branch, 2.9.0.beta2 in the `beta` branch, and 2.9.0.beta2 in the `tests-passed` branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the `stable` branch, 2.9.0.beta2 of the `beta` branch, and 2.9.0.beta2 of the `tests-passed` branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.

Key dates

02Disclosure timeline

February 15, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-23641

Related vulnerabilities

Identifiers

CVE CVE-2022-23641

CWE CWE-835

CVSS 6.5 / MEDIUM

Affected versions

Vendor Discourse

Product discourse

Affected stable <= 2.8.0

Vendor Discourse

Product discourse

Affected beta <= 2.9.0.beta1

Vendor Discourse

Product discourse

Affected tests-passed <= 2.9.0.beta1

CVE-2022-23641: Denial of Service in Discourse

01Description

02Disclosure timeline

03References

04Related CVE