Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches, if a user has been quoted and uses a | in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts theyve been quoted by updating their full name again. Version 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches contain a patch for this issue. No known workaround exists, although one can stop the bleeding by ensuring users only use alphanumeric characters in their full name field.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Discourse | Discourse | * | 3.1.3 (excluding) |
| Discourse | Discourse | * | 3.2.0 (excluding) |
| Discourse | Discourse | 3.2.0-beta1 (including) | 3.2.0-beta1 (including) |
| Discourse | Discourse | 3.2.0-beta2 (including) | 3.2.0-beta2 (including) |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.