Hello there, We released Varnish Cache 7.7.1, 7.6.3, and 6.0.14 yesterday (sorry for the delay).
These releases fixes a vulnerability reported to us, which got the name VSV00016. *CVE*: Not assigned yet, expect a follow-up here. A client-side desync vulnerability can be triggered in Varnish Cache. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 chunked requests. An attacker can abuse a flaw in Varnish’s handling of chunked transfer encoding which allows certain malformed HTTP/1 requests to exploit improper framing of the message body to smuggle additional requests. Specifically, Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries. Impact <https://varnish-cache.org/security/VSV00016.html#impact> The primary risk of this vulnerability is enabling HTTP request smuggling attacks, which could have consequences for downstream systems. Specifically: *Cache Poisoning*: A downstream cache positioned in front of Varnish could cache incorrect or malicious content if it allows the aforementioned malformed HTTP/1 requests to pass through unhandled. This can lead to unintended responses being served to users, potentially exposing sensitive information or delivering harmful payloads. *Security Risks*: Bypass of WAF type products downstream from Varnish could be achieved if these products are configured to not inspect request bodies and in addition allow the aforementioned malformed HTTP/1 requests to pass through. The vulnerability has been given a severity rating of *low/medium*. Versions affected <https://varnish-cache.org/security/VSV00016.html#versions-affected> - Varnish Cache releases up to and including 7.7.0. - Varnish Cache 6.0 LTS series up to and including 6.0.13. Versions not affected <https://varnish-cache.org/security/VSV00016.html#versions-not-affected> - Varnish Cache 7.7.1 (released 2025-05-12) - Varnish Cache 7.6.3 (released 2025-05-12) - Varnish Cache 6.0 LTS version 6.0.14 (released 2025-05-12) Solution <https://varnish-cache.org/security/VSV00016.html#solution> The recommended solution is to upgrade Varnish to one of the versions where this issue has been resolved, and then ensure that Varnish is restarted. Thankyous and credits <https://varnish-cache.org/security/VSV00016.html#thankyous-and-credits> Ben Kallus at Dartmouth College for finding and reporting the issue to the project in a responsible manner. Nils Goroll (UPLEX), Dridi Boukelmoune (Varnish Software) and Poul-Henning Kamp for the patches. Varnish Software for handling this security incident. References: - https://varnish-cache.org/security/VSV00016.html#vsv00016 - https://varnish-cache.org/security/index.html - https://varnish-cache.org/lists/pipermail/varnish-announce/2025-May/000767.html - https://github.com/varnishcache/varnish-cache - https://varnish-cache.org/releases/rel7.7.1.html#rel7-7-1 - https://varnish-cache.org/releases/rel7.6.3.html#rel7-6-3 - https://varnish-cache.org/releases/rel6.0.14.html#rel6-0-14 -- Asad
