Discourse Vulnerability CVE-2021-41163

Hey all,

I was recently made aware of this security vulnerability in Discourse NVD - CVE-2021-41163 (nist.gov)

I was curious because its on the /webhooks/aws url, is Discourse in Azure affected by this as well?

1 Like

Every instance is affected (if not patched) no matter where you host it.


Hey @Falco thanks for the speedy reply!

I am not a ruby expert but I thought that this line of code would prevent the execution of the vulnerable bit on Azure as it would evaluate to false?? Please do correct me here cause I don’t know ruby.

Also, as a complete band-aid solution and NOT RECCOMENDED as upgrading is 100% the best solution. Could you edit the nginx file in order to temporarily fix this until upgrading?
Like this:

  1. ssh to machine
  2. cd /var/discourse
  3. ./launcher enter app
  4. cd /etc/nginx/conf.d/
  5. edit discourse.conf
  6. add:
location ~* /webhooks/aws {
    deny all;
  1. sv restart nginx

I have every intention of upgrading, and soon. But I’ll need about a week to organize things for our live environment and would like to be secure in the meantime.

That line will execute anyway, as that parameter is user input.

That may work, but as you stated is a band-aid. Rebuilding will remove the fix, and be very careful testing as nginx config is very tricky to get right.


Based on the insight of our security team, this is not Discourse bug. This bug is in our SNS messages distribution system ( MDS ) ( cannot go into much details here ) meaning it will affect every package that uses / make use of SNS service.

1 Like

Yes, the problem is indeed caused by an upstream issue in the aws-sdk-sns gem. But it is important to realize that - since Discourse uses this gem and exposes the bug to the world - every Discourse instance is vulnerable even when it does not actually use the AWS SNS service.

So while it is not a “Discourse bug” it is a “security vulnerability in Discourse”.


is this vulnerability fixed? thank you.

Yes, but you need to ensure that you’ve applied the patch. Read the topic. :slight_smile:


a simple

launcher rebuild app

will not help to fix this vulnerability?

./launcher rebuild app will apply the latest updates to your Discourse instance, and will include the patch for this issue :+1:

Official information can be found at RCE via malicious SNS subscription payload · Advisory · discourse/discourse · GitHub


Sounds better :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.