CVE-2025-30346
published 2025-03-21CVE-2025-30346: Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
PriorityP423medium4.8CVSS 3.1
AVNACHPRNUINSUCLILAN
EPSS
0.29%
20.3th percentile
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | varnish | < varnish 7.1.1-2+deb12u1 (bookworm) | varnish 7.1.1-2+deb12u1 (bookworm) |
| varnish-cache | varnish | >= 0 < 6.5.1-1+deb11u4 | 6.5.1-1+deb11u4 |
| varnish-cache | varnish | >= 0 < 7.1.1-2+deb12u1 | 7.1.1-2+deb12u1 |
| varnish-cache | varnish | >= 0 < 7.7.0-1 | 7.7.0-1 |
| varnish-cache | varnish | >= 0 < 7.7.0-1 | 7.7.0-1 |
| varnish-software | varnish_cache | >= 7.5.0 < 7.6.2 | 7.6.2 |
| varnish-software | varnish_enterprise | — | — |
| varnish-software | varnish_enterprise | — | — |
| varnish-software | varnish_enterprise | — | — |
| varnish_cache_project | varnish_cache | < 7.6.2 | 7.6.2 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
osv4.8MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-30346: Varnish Cache before 7
osv·2025-03-21·CVSS 4.8
CVE-2025-30346 [MEDIUM] CVE-2025-30346: Varnish Cache before 7
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
GHSA
GHSA-hxcm-q7m2-7qhp: Varnish Cache before 7
ghsa_unreviewed·2025-03-21
CVE-2025-30346 [MEDIUM] CWE-444 GHSA-hxcm-q7m2-7qhp: Varnish Cache before 7
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
Red Hat
varnish: Client-Side Desynchronization in Varnish Cache
vendor_redhat·2025-03-21·CVSS 5.4
CVE-2025-30346 [MEDIUM] CWE-444 varnish: Client-Side Desynchronization in Varnish Cache
varnish: Client-Side Desynchronization in Varnish Cache
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
A flaw was found in Varnish Cache and Varnish Enterprise. This vulnerability allows client-side desynchronization via crafted HTTP/1 requests.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: varnish (Red Hat Enterprise Linux 10) - Fix deferred
Package: varnish:6/varnish (Red Hat Enterprise Linux 8) - Not affected
Package: varnish (Red Hat Enterprise Linux 9) - Not affected
Debian
CVE-2025-30346: varnish - Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-...
vendor_debian·2025·CVSS 5.4
CVE-2025-30346 [MEDIUM] CVE-2025-30346: varnish - Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-...
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
Scope: local
bookworm: resolved (fixed in 7.1.1-2+deb12u1)
bullseye: resolved (fixed in 6.5.1-1+deb11u4)
forky: resolved (fixed in 7.7.0-1)
sid: resolved (fixed in 7.7.0-1)
trixie: resolved (fixed in 7.7.0-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-21
Published