CVE-2023-48297: 
NixOS vulnerability analysis and mitigation

Discourse, a platform for community discussion, was found to contain a vulnerability (CVE-2023-48297) where the message serializer uses the full list of expanded chat mentions (@all and @here), potentially leading to a very long array of users. The vulnerability was discovered and disclosed on January 12, 2024, affecting Discourse versions up to 3.1.3 (stable) and 3.2.0.beta3 (beta). The issue was patched in versions 3.1.4 and 3.2.0.beta5 (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH by NIST and 8.6 HIGH by GitHub. The vulnerability is characterized by Network attack vector, Low attack complexity, requiring No privileges, and No user interaction. While NIST assessed the scope as Unchanged, GitHub assessed it as Changed. Both assessments agree there is High impact on availability, with no impact on confidentiality or integrity (NVD).

The primary impact of this vulnerability is on system availability. When exploited, the vulnerability can lead to excessive resource consumption due to the creation of very long arrays of users from expanded chat mentions, potentially affecting the system's performance or stability (Vendor Advisory).

The primary mitigation is to upgrade to the patched versions: 3.1.4 for stable release or 3.2.0.beta5 for beta users. As a temporary workaround, administrators can use watched words to prevent the usage of @ALL and @here mentions, though upgrading is still strongly recommended (Vendor Advisory).