PT-2025-21129 · Varnish+6 · Varnish Cache+7

Asad Ahmed

·

Published

2025-05-13

·

Updated

2025-12-03

·

CVE-2025-47905

CVSS v3.1

5.4

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions: Varnish Cache versions 7.6.3 and earlier, 7.7.0 Varnish Enterprise versions 6.0.13r13 and earlier
Description: The issue allows client-side desync via HTTP/1 requests. This occurs because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
Recommendations: For Varnish Cache versions 7.6.3 and earlier, update to version 7.6.3 or later. For Varnish Cache version 7.7.0, update to version 7.7.1 or later. For Varnish Enterprise versions 6.0.13r13 and earlier, update to version 6.0.13r14 or later.

Fix

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2025:8336
ALSA-2025:8337
ALSA-2025:8550
BDU:2025-15593
BIT-VARNISH-2025-47905
CESA-2025_8336
CVE-2025-47905
DLA-4187-1
DSA-5918-1
INFSA-2025_8336
INFSA-2025_8337
OESA-2025-1556
RHSA-2025:8294
RHSA-2025:8310
RHSA-2025:8336
RHSA-2025:8337
RHSA-2025:8339
RHSA-2025:8340
RHSA-2025:8349
RHSA-2025:8350
RHSA-2025:8351
RHSA-2025:8550
RHSA-2025_8336
RHSA-2025_8337

Affected Products

Almalinux
Centos
Debian
Red Hat
Red Os
Rocky Linux
Varnish Cache
Varnish Enterprise