CVE-2025-68659
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-01-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 3.5.4 (exc) |
| discourse | discourse | From 2025.11.0 (inc) to 2025.11.2 (exc) |
| discourse | discourse | 2025.12.0 |
| discourse | discourse | 2026.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an application-level denial of service issue in Discourse's username change functionality. Attackers can send large JSON payloads to the username preference endpoint (PUT /u//preferences/username) on try.discourse.org, causing server delays and resource exhaustion. This results in degraded performance for other users and endpoints.
How can this vulnerability impact me? :
The vulnerability can cause noticeable server delays and resource exhaustion, leading to degraded performance of the Discourse platform for all users. This means legitimate users may experience slow responses or inability to use certain features while the server is under attack.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Discourse to one of the patched versions: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. No known workarounds are available.