CVE-2025-61598

EPSS 0.06%

Discourse is missing Cache-Control response header on error responses

Published: 11/6/2025Modified: 11/6/2025

Also known as:GHSA-jp9x-wwv6-cv3jBIT-discourse-2025-61598

Description

Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2.

Affected packages (1)

Bitnami/discoursefrom 0, < 3.6.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References (4)

WEBhttps://github.com/discourse/discourse/commit/3ea1b663c82c067e5ca778db846bad1e082ba6cd
WEBhttps://github.com/discourse/discourse/commit/fd567af7bf5a15c70772021acbdf5d38487a31bc
WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-jp9x-wwv6-cv3j
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-61598