CVE-2024-21655: 
NixOS vulnerability analysis and mitigation

Discourse, a platform for community discussion, was found to have a vulnerability (CVE-2024-21655) where client-editable fields lacked proper size limitations. The vulnerability was discovered and disclosed on January 12, 2024, affecting Discourse versions up to 3.1.3 (stable) and 3.2.0.beta3 (beta/tests-passed branches) (GitHub Advisory).

The vulnerability stems from insufficient control of custom field value sizes, where limits on sizes are either not imposed at all or are too generous. The issue has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The weakness has been classified as CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

The vulnerability allows a malicious actor to cause a Discourse instance to consume excessive disk space and bandwidth, potentially affecting the system's availability and performance (GitHub Advisory).

The vulnerability has been patched in Discourse versions 3.1.4 (stable) and 3.2.0.beta4 (beta/tests-passed). No workarounds are available, and users are advised to upgrade to the patched versions as soon as possible (GitHub Advisory).