Primary

Context

Discourse Anonymous Cache Poisoning Vulnerability

Vulnerability

Patched

A vulnerability exists in Discourse versions prior to 3.3.2 and tests-passed versions prior to 3.4.0.beta3, allowing attackers to craft XHR requests that poison the anonymous cache. This can result in cached responses lacking essential preloaded data. The issue impacts only anonymous visitors to the site.

Impact

Exploitation of this vulnerability allows for anonymous cache poisoning, which can disrupt the delivery of preloaded data to users.

Remediation

Users are advised to upgrade to Discourse version 3.3.2 or later. For those unable to upgrade, the anonymous cache can be disabled by setting the DISCOURSE_DISABLE_ANON_CACHE environment variable to a non-empty value.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.7

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.7

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Anonymous Cache Poisoning Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating