CVE-2023-25167: 
NixOS vulnerability analysis and mitigation

Discourse, an open source discussion platform, was found to contain a vulnerability (CVE-2023-25167) related to a regular expression denial of service (ReDoS) issue. The vulnerability was discovered and disclosed on February 8, 2023, affecting all versions up to Discourse 3.0.1 and beta versions up to 3.1.0.beta1. A malicious user could exploit this vulnerability using a carefully crafted git URL (GitHub Advisory).

The vulnerability stems from an ambiguous SSH URL regular expression pattern in the git_url.rb file. The original vulnerable regex pattern '(\w+@(\w+.)\w+):(.)' was unbound and could lead to catastrophic backtracking. This was later patched by implementing a more specific and bounded regex pattern '\A(\w+@\w+(.\w+)):(.)\z' (GitHub Patch). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability affects the availability of the system through a denial of service condition. When exploited, it could cause the application to become unresponsive due to excessive CPU usage while processing specially crafted git URLs (GitHub Advisory).

The vulnerability has been patched in Discourse version 3.0.1 and later for stable releases, and version 3.1.0.beta2 and later for beta releases. Users are advised to upgrade to these or newer versions as there are no known workarounds for this issue (GitHub Advisory).