CVE-2024-53991
published 2024-12-19CVE-2024-53991: Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use `FileStore::LocalStore`…
PriorityP354medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EXPLOIT
EPSS
25.43%
97.7th percentile
Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use `FileStore::LocalStore` which means uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, the attacker can trick nginx into sending the Discourse backup file with a well crafted request. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade can either 1. Download all local backups on to another storage device, disable the `enable_backups` site setting and delete all backups until the site has been upgraded to pull in the fix. Or 2. Change the `backup_location` site setting to `s3` so that backups are stored and downloaded directly from S3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| discourse | discourse | < 3.3.2 | 3.3.2 |
| discourse | discourse | < 3.4.0 | 3.4.0 |
| discourse | discourse | — | — |
| discourse | discourse | — | — |
| discourse | discourse | — | — |
| discourse | discourse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/stylesheets/discourse-
path/downloads/backups/default/
otherX-Sendfile-Type: X-Accel-Redirect
otherX-Accel-Mapping: .*=/downloads/backups/default/
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Discourse Backup File Disclosure via Default Nginx Configuration (CVE-2024-53991)"; flow:established,to_server; http.uri; content:"/stylesheets/discourse-"; startswith; http.header; to_lowercase; content:"x-sendfile-type|3a 20|x-accel-redirect|0d 0a|"; fast_pattern; content:"x-accel-mapping|3a 20|"; content:"|3d 2f|downloads|2f|backups|2f|"; distance:0; reference:url,projectdiscovery.io/blog/discourse-backup-disclosure-rails-send_file-quirk; reference:cve,2024-53991; classtype:web-application-attack; sid:2061027; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_24, cve CVE_2024_53991, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests use a crafted GET to a Discourse stylesheet URI combined with attacker-controlled headers `X-Sendfile-Type: X-Accel-Redirect` and `X-Accel-Mapping: .*=/downloads/backups/default/` to redirect nginx into serving the backup file.
- →The Snort/ET rule keys on the URI starting with `/stylesheets/discourse-` AND the presence of both `x-sendfile-type: x-accel-redirect` and `x-accel-mapping:` headers containing `=/downloads/backups/` in the same request — all three conditions must be present.
- →Shodan fingerprinting query for exposed Discourse instances that may be vulnerable: `http.component:"Discourse"`.
- →Nuclei template validates exploitation by checking for HTTP 403 response with `text/html` content-type containing the string `discourse` — indicating nginx intercepted and blocked the internal redirect, confirming the vulnerable nginx mapping is active.
- ·This vulnerability ONLY affects Discourse instances using `FileStore::LocalStore` (local disk storage for uploads and backups). Instances using S3 storage are not affected. ↗
- ·The attack requires the attacker to already know the name of the target Discourse backup file; without it, the path traversal via nginx cannot be directed to the correct file. ↗
- ·The exploit abuses nginx's `X-Accel-Redirect` internal redirect mechanism combined with a crafted `X-Accel-Mapping` header; detection/blocking at the nginx or WAF layer should strip or reject these headers from untrusted clients.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
Suricata
ET WEB_SPECIFIC_APPS Discourse Backup File Disclosure via Default Nginx Configuration (CVE-2024-53991)
suricata·2025-03-24·CVSS 7.5
CVE-2024-53991 [HIGH] ET WEB_SPECIFIC_APPS Discourse Backup File Disclosure via Default Nginx Configuration (CVE-2024-53991)
ET WEB_SPECIFIC_APPS Discourse Backup File Disclosure via Default Nginx Configuration (CVE-2024-53991)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Discourse Backup File Disclosure via Default Nginx Configuration (CVE-2024-53991)"; flow:established,to_server; http.uri; content:"/stylesheets/discourse-"; startswith; http.header; to_lowercase; content:"x-sendfile-type|3a 20|x-accel-redirect|0d 0a|"; fast_pattern; content:"x-accel-mapping|3a 20|"; content:"|3d 2f|downloads|2f|backups|2f|"; distance:0; reference:url,projectdiscovery.io/blog/discourse-backup-disclosure-rails-send_file-quirk; reference:cve,2024-53991; classtype:web-application-attack; sid:2061027; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_24, cve CVE_2024_53
Nuclei
Discourse Backup File Disclosure Via Default Nginx Configuration
nuclei·CVSS 5.9
CVE-2024-53991 [MEDIUM] Discourse Backup File Disclosure Via Default Nginx Configuration
Discourse Backup File Disclosure Via Default Nginx Configuration
Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use `FileStore--LocalStore` which means uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, the attacker can trick nginx into sending the Discourse backup file with a well crafted request.
Template:
id: CVE-2024-53991
info:
name: Discourse Backup File Disclosure Via Default Nginx Configuration
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use `FileStore--LocalStore` which means uploads and
No writeups or analysis indexed.
2024-12-19
Published