CVE-2025-23023
Published: 04 February 2025
Summary
CVE-2025-23023 is a high-severity Origin Validation Error (CWE-346) vulnerability in Discourse Discourse. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the Discourse software flaw to directly eliminate the cache poisoning vulnerability as specified in the security advisory.
Restricts the system to least functionality by disabling the non-essential anonymous cache feature via environment variable, serving as the recommended workaround.
Validates information inputs including crafted HTTP request headers to block malicious requests that poison the anonymous cache.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-23023 enables exploitation of a public-facing web application (T1190) via crafted request headers to poison the anonymous cache, facilitating stored data manipulation (T1565.001) by altering cached responses served to anonymous users.
NVD Description
Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache (for example, the cache may have a response with missing preloaded…
more
data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade may disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Deeper analysisAI
CVE-2025-23023 is a cache poisoning vulnerability in Discourse, an open source platform for community discussion. In affected versions, an attacker can craft a request with specific headers to poison the anonymous cache, potentially resulting in cached responses lacking preloaded data. This flaw specifically impacts anonymous visitors to the site and is classified under CWE-346, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L), indicating high severity due to network accessibility, low attack complexity, and significant integrity impact.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network without user interaction by sending a maliciously crafted request that manipulates cache headers. Successful exploitation poisons the anonymous cache, leading to integrity violations such as serving incomplete or altered responses to subsequent anonymous users, though it causes only low availability impact and no confidentiality loss.
The Discourse security advisory recommends upgrading to the latest patched version to mitigate the issue. For users unable to upgrade immediately, disabling the anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value serves as a workaround. Additional details are available in the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-5h4h-2f46-r3c7.
Details
- CWE(s)