Unrated severityNVD Advisory· Published Oct 28, 2025· Updated Oct 29, 2025

Discourse is missing Cache-Control response header on error responses

CVE-2025-61598

Description

Discourse is an open source discussion platform. Version before 3.6.2 and 3.6.0.beta2, default Cache-Control response header with value no-store, no-cache was missing from error responses. This may caused unintended caching of those responses by proxies potentially leading to cache poisoning attacks. This vulnerability is fixed in 3.6.2 and 3.6.0.beta2.

Affected products

Discourse (software)/Discoursev5
Range: < 3.6.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/3ea1b663c82c067e5ca778db846bad1e082ba6cdmitrex_refsource_MISC
github.com/discourse/discourse/commit/fd567af7bf5a15c70772021acbdf5d38487a31bcmitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-jp9x-wwv6-cv3jmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000