CVE-2025-23023: 
Discourse vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, contains a vulnerability (CVE-2025-23023) discovered on February 4, 2025. The vulnerability allows an attacker to poison the anonymous cache through carefully crafted request headers, potentially resulting in responses with missing preloaded data. This issue affects versions prior to 3.3.2 (stable) and 3.4.0.beta3 (tests-passed), and only impacts anonymous visitors of the site (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L. The attack vector is network-based, requires low complexity, needs no privileges or user interaction, and has an unchanged scope. The impact primarily affects integrity (High) and availability (Low), with no impact on confidentiality (GitHub Advisory, NVD).

When successfully exploited, the vulnerability allows attackers to poison the anonymous cache of the Discourse platform. This can result in cached responses missing critical preloaded data, potentially affecting the functionality and integrity of the platform for anonymous visitors (GitHub Advisory).

The vulnerability has been patched in Discourse versions 3.3.2 (stable) and 3.4.0.beta3 (tests-passed). For users unable to upgrade immediately, a workaround is available by disabling the anonymous cache. This can be done by setting the DISCOURSEDISABLEANON_CACHE environment variable to a non-empty value (GitHub Advisory).