CVE-2024-55948 – This vulnerability allows attackers to poison t... (How to Fix)

Q: What is the severity of CVE-2024-55948?

CVE-2024-55948 has a CVSS score of 8.2 (HIGH). This vulnerability allows attackers to poison the anonymous cache in Discourse through crafted XHR requests, potentially serving incomplete or manipulated content to anonymous visitors. Only anonymous users are affected, not authenticated users. The issue could lead to degraded user experience or content manipulation.

📋 TL;DR

This vulnerability allows attackers to poison the anonymous cache in Discourse through crafted XHR requests, potentially serving incomplete or manipulated content to anonymous visitors. Only anonymous users are affected, not authenticated users. The issue could lead to degraded user experience or content manipulation.

💻 Affected Systems

Products:

Discourse

Versions: All versions before the patch

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects anonymous visitors; authenticated users are not vulnerable.

📦 What is this software?

Discourse by Discourse

View all CVEs affecting Discourse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could serve malicious or incomplete content to all anonymous visitors, potentially leading to misinformation, degraded user experience, or manipulation of community discussions.

🟠

Likely Case

Attackers poison cache to serve incomplete pages or slightly altered content to anonymous users, causing confusion or minor disruption.

🟢

If Mitigated

With proper patching or workarounds, no impact as the vulnerability is eliminated.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires crafting specific XHR requests to poison cache; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest version of Discourse

Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-2352-252q-qc82

Restart Required: No

Instructions:

1. Update Discourse to the latest version. 2. Verify the update completed successfully. 3. No restart required for typical deployments.

🔧 Temporary Workarounds

Disable Anonymous Cache

all

Disables the anonymous cache entirely to prevent cache poisoning attacks.

export DISCOURSE_DISABLE_ANON_CACHE=true

🧯 If You Can't Patch

Implement the DISCOURSE_DISABLE_ANON_CACHE environment variable workaround
Monitor logs for unusual XHR request patterns targeting anonymous endpoints

🔍 How to Verify

Check if Vulnerable:

Check if running a Discourse version before the latest patch and anonymous caching is enabled.

Check Version:

Check Discourse admin panel or run: `discourse --version`

Verify Fix Applied:

Verify Discourse is updated to the latest version and test anonymous page loads for completeness.

📡 Detection & Monitoring

Log Indicators:

Unusual XHR request patterns to anonymous endpoints
Cache-related errors in logs

Network Indicators:

Multiple XHR requests from single IPs targeting anonymous cache endpoints

SIEM Query:

source="discourse" AND (http_method="XHR" OR user_agent="anonymous") AND status_code=200

📊 Metadata

CVE ID: CVE-2024-55948

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-346

EPSS Score: 0.12% exploit probability (31.4th percentile)

Published: February 4, 2025

Last Updated: August 26, 2025

🔗 References

https://github.com/discourse/discourse/security/advisories/GHSA-2352-252q-qc82 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55948, you might also want to check these: