Discourse is missing Cache-Control response header on error responses

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2.

Basic Information

ID CVE-2025-61598

Source GitHub_M

Published Oct 28, 2025 at 20:38

Affected Product

Vendor discourse

Product discourse

Version < 3.6.2

Affected Versions discourse discourse < 3.6.2
discourse discourse >= 3.6.0.beta1, < 3.6.0.beta2

CWE Classification

CWE-524

References

{
    "lastseen": "",
    "description": "Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2.",
    "published": "2025-10-28T20:38:54.753Z",
    "modified": "2025-10-28T20:38:54.753Z",
    "type": "cve",
    "title": "Discourse is missing Cache-Control response header on error responses",
    "source": "GitHub_M",
    "references": "https://github.com/discourse/discourse/security/advisories/GHSA-jp9x-wwv6-cv3j\nhttps://github.com/discourse/discourse/commit/3ea1b663c82c067e5ca778db846bad1e082ba6cd\nhttps://github.com/discourse/discourse/commit/fd567af7bf5a15c70772021acbdf5d38487a31bc",
    "id": "CVE-2025-61598",
    "bulletinFamily": "",
    "cwe": [
        "CWE-524"
    ],
    "cvelist": null,
    "sourceData": "discourse discourse < 3.6.2\ndiscourse discourse >= 3.6.0.beta1, < 3.6.0.beta2",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "discourse",
    "version": "< 3.6.2",
    "vendor": "discourse",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Discourse is missing Cache-Control response header on error responses_CVE-2025-61598