DevForum vulnerability allowing replies to crash threads (Out-of-Memory / render failure)

A vulnerability is currently being abused on the DevForum where a particular type of content posted in a reply can cause certain threads to become extremely difficult or impossible to view. When a browser attempts to load and render a thread containing one of these replies, the page will freeze and flash repeatedly. I’ve identified multiple users engaging in this malicious behavior across multiple threads, and each one is listed in the PM attached to this report.

When opening an affected thread, the tab becomes unresponsive and the page flashes rapidly. In some cases, the browser shows an Out-of-Memory error, and system RAM usage increases dramatically. The issue persists across different browsers and refresh attempts and only occurs on threads containing the specific reply content.

This issue is triggered by specially crafted content embedded in a reply that breaks the page renderer. When the page processes this reply during load, the entire thread becomes unstable and fails to render properly, effectively making the thread unreadable and breaking your entire browser.

This is actively disruptive because it prevents users from accessing legitimate discussion content and creates the impression that the forum itself is broken. The same method appears to be reusable across different threads, meaning a single reply will make any thread it is posted under freeze or fail to load for all users.

This behavior can be observed by opening a thread that contains one of these replies, such as:
https://devforum.roblox.com/t/i-have-found-a-working-bypass-to-robloxs-age-verification/4395840/

I am intentionally not naming the users involved publicly to avoid encouraging copycat behavior or escalation, but they are listed in the PM. Multiple users have confirmed experiencing the same symptoms. Images and videos are attached showing the flashing, incomplete page rendering, and failure to load behavior when opening affected threads. Could this please be investigated as a priority, as it is currently being abused and making parts of the DevForum inaccessible.

@Hooksmith

A private message is associated with this bug report

This has been fixed, we removed all the posts causing issues and have disabled the spoiler feature for now. Thanks for reporting.

@Hooksmith, me and my friends believe
we know who caused this error. Check your PMs for more information.

what about limit the amount nested spoilers to only one spoiler if posible

what about my things that already have spoilers, do they get removed or turned into normal text

[spoiler]they are look like this now[/spoiler] just search spoiler and you find posts used spoilers

same person has apparently found another way to crash the forum, hasn’t used it yet

image495×421 38.5 KB

Apparently not..

image270×108 7.81 KB

We are really just botting threads now? You guys are really trying to speedrun making them close this forum what the hell

@Hooksmith Can you please do something about this like botting problem?

image738×340 111 KB

On the great lounge reset aka Wednesday the 18th, u will have to be age verified to even log in and thus like posts

is it the one with a lot of images? i saw it a day ago

You mean those lag post with frames per two spammed those are google maps IFrames spammed what makes the dev Forum loads that all and thus page the topic

All html and markup things might be disabled sooner or later

oh sorry, i just assumed they were images because they would never fully load when i looked at them. i did just see a post earlier, and it loaded since i think they didn’t spam enough frames. rn i’m experimenting with the ublock origin element picker to try and stop them from showing up (blocking doesn’t help when they keep making new alts)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.