CVE-2025-61598 | THREATINT

Description

Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2.

PUBLISHED Reserved 2025-09-26 | Published 2025-10-28 | Updated 2025-10-29 | Assigner GitHub_M

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-524: Use of Cache Containing Sensitive Information

Product status

< 3.6.2

affected

>= 3.6.0.beta1, < 3.6.0.beta2

affected

References

github.com/...course/security/advisories/GHSA-jp9x-wwv6-cv3j

github.com/...ommit/3ea1b663c82c067e5ca778db846bad1e082ba6cd

github.com/...ommit/fd567af7bf5a15c70772021acbdf5d38487a31bc

cve.org (CVE-2025-61598)

nvd.nist.gov (CVE-2025-61598)

Download JSON