CVE-2024-24827

Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to site as various site settings like `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` will determine the amount of resources used when creating an upload. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should reduce `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` as smaller uploads require less resources to process. Alternatively, `client_max_body_size` can be reduced in Nginx to prevent large uploads from reaching the server.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/commit/003b80e62f97cd8c0114d6b9d3f93c10443e6fae	Patch
https://github.com/discourse/discourse/security/advisories/GHSA-58vw-246g-fjj4	Third Party Advisory
https://github.com/discourse/discourse/commit/003b80e62f97cd8c0114d6b9d3f93c10443e6fae	Patch
https://github.com/discourse/discourse/security/advisories/GHSA-58vw-246g-fjj4	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse:::::stable:::*
	cpe:2.3:a:discourse:discourse:::::beta:::*

History

26 Aug 2025, 16:36

Type	Values Removed	Values Added
References	~~() https://github.com/discourse/discourse/commit/003b80e62f97cd8c0114d6b9d3f93c10443e6fae -~~	() https://github.com/discourse/discourse/commit/003b80e62f97cd8c0114d6b9d3f93c10443e6fae - Patch
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-58vw-246g-fjj4 -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-58vw-246g-fjj4 - Third Party Advisory
First Time		Discourse discourse Discourse
CPE		cpe:2.3:a:discourse:discourse:::::stable:::* cpe:2.3:a:discourse:discourse:::::beta:::*

21 Nov 2024, 08:59

Type	Values Removed	Values Added
Summary		(es) Discourse es una plataforma de código abierto para el debate comunitario. Sin un límite de velocidad en el endpoint POST /uploads, a un atacante le resulta más fácil llevar a cabo un ataque DoS en el servidor, ya que crear una carga puede ser un proceso que consume muchos recursos. Tenga en cuenta que el impacto varía de un sitio a otro, ya que varias configuraciones del sitio, como `max_image_size_kb`, `max_attachment_size_kb` y `max_image_megapixels`, determinarán la cantidad de recursos utilizados al crear una carga. El problema está solucionado en la última versión estable, beta y probada de Discourse. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben reducir `max_image_size_kb`, `max_attachment_size_kb` y `max_image_megapixels` ya que las cargas más pequeñas requieren menos recursos para procesar. Alternativamente, `client_max_body_size` se puede reducir en Nginx para evitar que grandes cargas lleguen al servidor.
References	~~() https://github.com/discourse/discourse/commit/003b80e62f97cd8c0114d6b9d3f93c10443e6fae -~~	() https://github.com/discourse/discourse/commit/003b80e62f97cd8c0114d6b9d3f93c10443e6fae -
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-58vw-246g-fjj4 -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-58vw-246g-fjj4 -

15 Mar 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-15 20:15

Updated : 2025-08-26 16:36

NVD link : CVE-2024-24827

Mitre link : CVE-2024-24827

CVE.ORG link : CVE-2024-24827

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-400

Uncontrolled Resource Consumption

5.3 /10