CVE-2025-48053

| EUVD-2025-17463 HIGH
2025-06-09 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17463
CVE Published
Jun 09, 2025 - 13:15 nvd
HIGH 7.5

Tags

Information Disclosure Discourse

Description

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. No known workarounds are available.

Analysis

Denial-of-service vulnerability in Discourse that allows unauthenticated remote attackers to reduce the availability of a Discourse instance by sending malicious URLs in private messages to bot users. The vulnerability affects Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed), with a CVSS 7.5 rating indicating high severity. No known public exploits or workarounds are currently available, but patches have been released.

Technical Context

This vulnerability stems from improper handling of user-supplied input (CWE-400: Uncontrolled Resource Consumption) when processing URLs in private messages directed at bot users. Discourse's bot user handling mechanism lacks sufficient rate-limiting or input validation when parsing potentially malicious URLs, allowing an attacker to trigger resource-intensive operations (such as URL fetching, parsing, or link preview generation) without authentication. The vulnerability specifically targets the PM (private message) functionality when bots are recipients, suggesting the bot's automatic message processing or link-preview generation features are the attack vector. The issue affects the core Discourse message handling and bot interaction subsystems across multiple release branches (stable, beta, and development branches).

Affected Products

- product: Discourse (stable branch); affected_versions: < 3.4.4; patched_version: 3.4.4 and later - product: Discourse (beta branch); affected_versions: < 3.5.0.beta5; patched_version: 3.5.0.beta5 and later - product: Discourse (tests-passed branch); affected_versions: < 3.5.0.beta6-dev; patched_version: 3.5.0.beta6-dev and later

Remediation

- action: Upgrade immediately; details: Update Discourse installations to version 3.4.4 or later on the stable branch, version 3.5.0.beta5 or later on the beta branch, or version 3.5.0.beta6-dev or later on the tests-passed branch. - action: Workarounds; details: No known workarounds are available. Patching is the only remediation path. Organizations unable to patch immediately should consider restricting bot PM access or implementing external rate-limiting/WAF rules to detect unusual PM activity patterns. - action: Monitoring; details: Monitor instance logs for unusual bot PM activity, particularly with non-standard or suspicious URLs. Monitor system resource consumption (CPU, memory) during PM operations to detect potential DoS attempts. - action: Deployment prioritization; details: Prioritize patching for production Discourse instances with enabled bot functionality and public accessibility. Lower-priority instances (internal/private deployments with limited bot usage) may follow standard change management procedures.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +38
POC: 0

Share

CVE-2025-48053 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy