Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to site as various site settings like `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` will determine the amount of resources used when creating an upload. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should reduce `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` as smaller uploads require less resources to process. Alternatively, `client_max_body_size` can be reduced in Nginx to prevent large uploads from reaching the server.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 26 Aug 2025 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*

Thu, 10 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
CPEs cpe:2.3:a:discourse:discourse:-:*:*:*:*:*:*:*
Vendors & Products Discourse
Discourse discourse
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-04-10T20:27:16.048Z

Reserved: 2024-01-31T16:28:17.945Z

Link: CVE-2024-24827

cve-icon Vulnrichment

Updated: 2024-08-01T23:28:12.832Z

cve-icon NVD

Status : Analyzed

Published: 2024-03-15T20:15:07.900

Modified: 2025-08-26T16:36:16.460

Link: CVE-2024-24827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.