CVE-2025-68659

Опубликовано: 28 янв. 2026

Источник: nvd

CVSS3: 4.3

CVSS3: 5.3

EPSS Низкий

Описание

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Ссылки

https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*

Версия до 3.5.4 (исключая)

cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*

Версия от 2025.11.0 (включая) до 2025.11.2 (исключая)

cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:*

cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:*

EPSS

Процентиль: 11%

0.00038

Низкий

4.3 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-770

EPSS

Процентиль: 11%

0.00038

Низкий

4.3 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-770