Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting.
                
            Metrics
Affected Vendors & Products
References
        History
                    Fri, 26 Sep 2025 13:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| CPEs | 
Tue, 26 Aug 2025 16:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| CPEs | cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* cpe:2.3:a:discourse:discourse:3.4.0:-:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.4.0:beta1:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.4.0:beta2:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.4.0:beta3:*:*:beta:*:*:* | 
Tue, 15 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Tue, 04 Feb 2025 22:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Tue, 04 Feb 2025 21:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting. | |
| Title | Partial denial of service via inline oneboxes in Discourse | |
| Weaknesses | CWE-400 | |
| References |  | |
| Metrics | cvssV3_1 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-02-04T21:16:42.089Z
Updated: 2025-02-04T21:40:59.102Z
Reserved: 2024-11-22T17:30:02.140Z
Link: CVE-2024-53851
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-02-04T21:40:54.504Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2025-02-04T22:15:40.490
Modified: 2025-09-26T13:04:59.347
Link: CVE-2024-53851
 Redhat
                        Redhat
                    No data.