CVE-2025-47905
published 2025-05-13CVE-2025-47905: Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product…
PriorityP428medium5.4CVSS 3.1
AVNACHPRNUINSCCLILAN
EPSS
0.30%
21.6th percentile
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | varnish | < varnish 7.1.1-2+deb12u1 (bookworm) | varnish 7.1.1-2+deb12u1 (bookworm) |
| varnish-cache | varnish | >= 0 < 6.5.1-1+deb11u5 | 6.5.1-1+deb11u5 |
| varnish-cache | varnish | >= 0 < 7.1.1-2+deb12u1 | 7.1.1-2+deb12u1 |
| varnish-cache | varnish | >= 0 < 7.7.0-2 | 7.7.0-2 |
| varnish-cache | varnish | >= 0 < 7.7.0-2 | 7.7.0-2 |
| varnish-software | varnish_cache | < 6.0.14 LTS | 6.0.14 LTS |
| varnish-software | varnish_cache | >= 7.0.0 < 7.6.3 | 7.6.3 |
| varnish-software | varnish_cache | >= 7.7.0 < 7.7.1 | 7.7.1 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
varnish: request smuggling attacks
vendor_redhat·2025-05-13·CVSS 5.4
CVE-2025-47905 [MEDIUM] CWE-444 varnish: request smuggling attacks
varnish: request smuggling attacks
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
A vulnerability was found in Varnish Cache. This vulnerability may allow request smuggling attacks, where a malicious actor can craft seemingly legitimate HTTP requests. This issue could result in an unspecified system caching incorrect content that can expose confidential information.
Statement: This vulnerability is rated as an IMPORTANT severity because this is a client-side desync vulnerability in Varnish handling a chunked transfer encoding, where it mishandles CRLF delimiters, allows attackers to smuggle additional HTTP/1 requ
Debian
CVE-2025-47905: varnish - Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6...
vendor_debian·2025·CVSS 5.4
CVE-2025-47905 [MEDIUM] CVE-2025-47905: varnish - Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6...
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
Scope: local
bookworm: resolved (fixed in 7.1.1-2+deb12u1)
bullseye: resolved (fixed in 6.5.1-1+deb11u5)
forky: resolved (fixed in 7.7.0-2)
sid: resolved (fixed in 7.7.0-2)
trixie: resolved (fixed in 7.7.0-2)
GHSA
GHSA-cvpp-rmjx-5x2m: Varnish Cache before 7
ghsa_unreviewed·2025-05-14
CVE-2025-47905 [MEDIUM] CWE-444 GHSA-cvpp-rmjx-5x2m: Varnish Cache before 7
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
OSV
CVE-2025-47905: Varnish Cache before 7
osv·2025-05-13·CVSS 5.4
CVE-2025-47905 [MEDIUM] CVE-2025-47905: Varnish Cache before 7
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-13
Published