CVE-2022-41921: Discourse Denial of Service Vulnerability in Chat Messages Prior to 2.9..beta13 – Upgrade Required

In this post, we will discuss a newly discovered vulnerability, CVE-2022-41921, in the popular open-source discussion platform Discourse.  This issue can result in a Denial of Service (DoS) attack for users when posting extremely long messages. We will provide details on the vulnerability, a code snippet showing the exploit and suggestions for mitigating the risk. It is strongly recommended to upgrade to version 2.9..beta13 or later to fix this issue.

Vulnerability Details

Discourse is an open-source discussion platform that provides users and communities with the ability to engage in productive discussions online. A critical vulnerability has been identified in versions of Discourse prior to 2.9..beta13, where users were able to post chat messages of unlimited length. This could be exploited by malicious users to intentionally cause a denial of service for other users by posting extremely long messages containing massive amounts of text.

Original References

- CVE-2022-41921 - NVD
- GitHub Security Advisory
- Discourse Release Notes

The following code snippet demonstrates how an attacker can exploit this vulnerability

function generateLongMessage(size) {
  let message = "";
  for (let i = ; i < size; i++) {
    message += "A";
  }
  return message;
}

const longMessage = generateLongMessage(10000000); // 10 million characters
// Insert code to send longMessage as a chat message on Discourse

This code generates a message of size characters, all consisting of the letter "A". The resulting message string can then be sent as a chat message on the vulnerable Discourse platform. Depending on the size of the message, it might cause performance issues and even crash the server, causing a denial of service for other users.

Mitigation

It is strongly advised that users of Discourse immediately upgrade to version 2.9..beta13 or later. In this new version, a message length limit has been introduced to prevent the abuse of unlimited message lengths and to mitigate the risk of denial of service attacks.

To upgrade, follow the steps provided in the Discourse upgrade guide.

No known workarounds exist for this vulnerability, so it is crucial to upgrade as soon as possible to protect your Discourse platform from potential attacks.

Conclusion

CVE-2022-41921 is a serious vulnerability affecting the popular open-source discussion platform Discourse. The issue allows attackers to exploit an unlimited chat message length to carry out a denial of service attack on other users. To protect your Discourse instance and its users, it is imperative to upgrade to version 2.9..beta13 or later.

Timeline

Published on: 11/28/2022 15:15:00 UTC
Last modified on: 12/01/2022 20:20:00 UTC