{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-13T11:16:34.980","vulnerabilities":[{"cve":{"id":"CVE-2025-68934","sourceIdentifier":"security-advisories@github.com","published":"2026-01-28T20:16:12.627","lastModified":"2026-01-30T20:47:28.030","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path."},{"lang":"es","value":"Discourse es una plataforma de discusión de código abierto. En versiones anteriores a 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0, los usuarios autenticados pueden enviar cargas útiles elaboradas a /drafts.json que causan un procesamiento O(n^2) en Base62.decode, ocupando los workers durante 35-60 segundos por solicitud. Esto afecta a todos los usuarios ya que el grupo de workers compartido se agota. Este problema está parcheado en las versiones 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0. Reducir la configuración del sitio max_draft_length reduce la superficie de ataque, pero no mitiga completamente el problema, ya que las cargas útiles por debajo del límite aún pueden activar la ruta de código lenta."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*","versionEndExcluding":"3.5.4","matchCriteriaId":"FDBF21E2-1191-4020-A17A-0702DE4E6451"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*","versionStartIncluding":"2025.11.0","versionEndExcluding":"2025.11.2","matchCriteriaId":"539B5B85-44F0-408E-B994-08BB20EA9C26"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:*","matchCriteriaId":"CCBF47A8-0D3F-4174-8084-CD3517BF272A"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:*","matchCriteriaId":"F6CF5F98-F08F-4B28-BBE2-8296760A547E"}]}]}],"references":[{"url":"https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849","source":"security-advisories@github.com","tags":["Third Party Advisory","Mitigation"]}]}}]}