CVE-2025-23023
Published: 04 February 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-23023 is a cache poisoning vulnerability in Discourse, an open source platform for community discussion. In affected versions, an attacker can craft a request with specific headers to poison the anonymous cache, potentially resulting in cached responses lacking preloaded data. This flaw specifically impacts anonymous visitors to the site and is classified under CWE-346, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L), indicating high severity due to network accessibility, low attack complexity, and significant integrity impact.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network without user interaction by sending a maliciously crafted request that manipulates cache headers. Successful exploitation poisons the anonymous cache, leading to integrity violations such as serving incomplete or altered responses to subsequent anonymous users, though it causes only low availability impact and no confidentiality loss.
The Discourse security advisory recommends upgrading to the latest patched version to mitigate the issue. For users unable to upgrade immediately, disabling the anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value serves as a workaround. Additional details are available in the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-5h4h-2f46-r3c7.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-23023 enables exploitation of a public-facing web application (T1190) via crafted request headers to poison the anonymous cache, facilitating stored data manipulation (T1565.001) by altering cached responses served to anonymous users.