CVE-2025-30346HTTP Request Smuggling in Varnish Cache

CWE-444HTTP Request Smuggling6 documents6 sources
Severity
4.8MEDIUMNVD
CNA5.4
EPSS
0.2%
top 61.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Varnish-software Varnish CacheVarnish-cache VarnishVarnish Cache Project Varnish Cache+1 more
Timeline
PublishedMar 21

Description

Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages4 packages

CVEListV5varnish-software/varnish_cache7.5.07.6.2
Debianvarnish-cache/varnish< 6.5.1-1+deb11u4+3
NVDvarnish-software/varnish_enterprise6.0.11, 6.0.12, 6.0.13+2

🔴Vulnerability Details

3
CVEList
CVE-2025-30346: Varnish Cache before 72025-03-21
OSV
CVE-2025-30346: Varnish Cache before 72025-03-21
GHSA
GHSA-hxcm-q7m2-7qhp: Varnish Cache before 72025-03-21

📋Vendor Advisories

2
Red Hat
varnish: Client-Side Desynchronization in Varnish Cache2025-03-21
Debian
CVE-2025-30346: varnish - Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-...2025
CVE-2025-30346 — HTTP Request Smuggling | cvebase