CVE-2025-68934 in Discourse
Summary
by MITRE • 01/28/2026
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/28/2026
The vulnerability identified as CVE-2025-68934 affects Discourse, an open source discussion platform that serves as a collaborative forum for communities and organizations. This security flaw represents a significant performance degradation issue that can be exploited by authenticated users to cause denial of service conditions within the platform. The vulnerability specifically targets the Base62 decoding functionality within the drafts endpoint, creating a computational complexity problem that severely impacts system resources and availability. The affected versions include several major releases prior to the patched versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, indicating this issue has been present across multiple release cycles and affects a substantial user base.
The technical flaw manifests through a specific code path that processes Base62 encoded data in the /drafts.json endpoint. When authenticated users submit crafted payloads, the Base62.decode function enters an O(n^2) algorithmic complexity state where processing time increases exponentially with input size. This computational inefficiency causes individual worker threads to become occupied for extended periods ranging from 35 to 60 seconds per request, effectively consuming system resources and preventing other legitimate operations from completing. The vulnerability exploits the shared worker pool architecture of the application, where each compromised worker becomes unavailable for other tasks, leading to cascading performance degradation throughout the entire system.
The operational impact of this vulnerability extends beyond simple performance degradation to create a complete denial of service scenario affecting all users of the platform. Since the worker pool becomes exhausted through these malicious requests, legitimate users experience service unavailability and system sluggishness that can persist for extended periods. The attack vector requires only authenticated access, making it particularly dangerous as it can be exploited by users who already have legitimate credentials to the system. This vulnerability demonstrates a classic example of a resource exhaustion attack that leverages algorithmic complexity rather than traditional brute force methods, making it more subtle and difficult to detect through conventional monitoring approaches.
The mitigation strategy involves upgrading to the patched versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, which contain fixed implementations of the Base62 decoding algorithm that eliminate the O(n^2) complexity. While administrators can attempt to reduce the attack surface by lowering the max_draft_length site setting, this approach provides only partial protection as malicious payloads under the configured limits can still trigger the slow code path. This vulnerability aligns with CWE-795 which addresses the exposure of an application to an O(n^2) algorithmic complexity issue, and relates to ATT&CK technique T1499.004 which covers network denial of service attacks through resource exhaustion. Organizations should implement immediate upgrades and consider additional monitoring for unusual patterns in draft processing requests to detect potential exploitation attempts. The vulnerability highlights the importance of algorithmic complexity auditing in web applications and demonstrates how seemingly benign functionality can become a critical security concern when exposed to crafted inputs.