Vulnerability Description
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 3.5.4 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849Third Party AdvisoryMitigation
FAQ
What is CVE-2025-68934?
CVE-2025-68934 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) proce...
How severe is CVE-2025-68934?
CVE-2025-68934 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68934?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.