Primary

Context

Discourse Anonymous Cache Poisoning Vulnerability

Vulnerability

Patched

A vulnerability exists in Discourse versions prior to 3.3.2 and tests-passed versions prior to 3.4.0.beta3, allowing attackers to craft requests that poison the anonymous cache. This can result in cached responses lacking essential preloaded data, and it specifically impacts anonymous users on the site.

Impact

Exploitation of this vulnerability allows for anonymous cache poisoning, which can disrupt the proper functioning of the cache by introducing responses that are missing critical preloaded information.

Remediation

Users are advised to upgrade to Discourse version 3.3.2 or later. For those unable to upgrade, the anonymous cache can be disabled by setting the DISCOURSE_DISABLE_ANON_CACHE environment variable to a non-empty value.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.7

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.7

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Anonymous Cache Poisoning Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating