CVE-2025-61598

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-61598

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61598.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-61598

Aliases

BIT-discourse-2025-61598
GHSA-jp9x-wwv6-cv3j

Published

2025-10-28T20:38:54Z

Modified

2025-11-17T19:51:35.204269Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Discourse is missing Cache-Control response header on error responses

Details

Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2.

Database specific

{
    "cwe_ids": [
        "CWE-524"
    ]
}

References

Affected packages

Git / github.com/discourse/discourse

Affected ranges

Type: GIT
Repo: https://github.com/discourse/discourse
Events: Introduced

d63a24313a2caf2ecd21edf444ae7c37308090c9

Fixed

8a3cb59d5bb9c1a8df031e994d03030345a8784e

Affected versions

v3.*

v3.6.0.beta1