Hello Asad, Is any CVE already assigned after the announcement was sent? If not I can provide a CVE identifier if needed.
Thanks, Marco Benatto Red Hat Product Security secal...@redhat.com for urgent response On Tue, May 13, 2025 at 12:23 PM Asad Ahmed <asa...@varnish-software.com> wrote: > > Hello there, > > We released Varnish Cache 7.7.1, 7.6.3, and 6.0.14 yesterday (sorry for the > delay). > > These releases fixes a vulnerability reported to us, which got the name > VSV00016. > > > *CVE*: Not assigned yet, expect a follow-up here. > > A client-side desync vulnerability can be triggered in Varnish Cache. This > vulnerability can be triggered under specific circumstances involving > malformed HTTP/1 chunked requests. > > An attacker can abuse a flaw in Varnish’s handling of chunked transfer > encoding which allows certain malformed HTTP/1 requests to exploit improper > framing of the message body to smuggle additional requests. Specifically, > Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries. > Impact <https://varnish-cache.org/security/VSV00016.html#impact> > > The primary risk of this vulnerability is enabling HTTP request smuggling > attacks, which could have consequences for downstream systems. Specifically: > > *Cache Poisoning*: A downstream cache positioned in front of Varnish could > cache incorrect or malicious content if it allows the aforementioned > malformed HTTP/1 requests to pass through unhandled. This can lead to > unintended responses being served to users, potentially exposing sensitive > information or delivering harmful payloads. > > *Security Risks*: Bypass of WAF type products downstream from Varnish could > be achieved if these products are configured to not inspect request bodies > and in addition allow the aforementioned malformed HTTP/1 requests to pass > through. > > The vulnerability has been given a severity rating of *low/medium*. > Versions affected > <https://varnish-cache.org/security/VSV00016.html#versions-affected> > > - > > Varnish Cache releases up to and including 7.7.0. > - > > Varnish Cache 6.0 LTS series up to and including 6.0.13. > > Versions not affected > <https://varnish-cache.org/security/VSV00016.html#versions-not-affected> > > - > > Varnish Cache 7.7.1 (released 2025-05-12) > - > > Varnish Cache 7.6.3 (released 2025-05-12) > - > > Varnish Cache 6.0 LTS version 6.0.14 (released 2025-05-12) > > Solution <https://varnish-cache.org/security/VSV00016.html#solution> > > The recommended solution is to upgrade Varnish to one of the versions where > this issue has been resolved, and then ensure that Varnish is restarted. > Thankyous and credits > <https://varnish-cache.org/security/VSV00016.html#thankyous-and-credits> > > Ben Kallus at Dartmouth College for finding and reporting the issue to the > project in a responsible manner. > Nils Goroll (UPLEX), Dridi Boukelmoune (Varnish Software) and Poul-Henning > Kamp for the patches. > Varnish Software for handling this security incident. > > References: > > - https://varnish-cache.org/security/VSV00016.html#vsv00016 > - https://varnish-cache.org/security/index.html > - > https://varnish-cache.org/lists/pipermail/varnish-announce/2025-May/000767.html > - https://github.com/varnishcache/varnish-cache > - https://varnish-cache.org/releases/rel7.7.1.html#rel7-7-1 > - https://varnish-cache.org/releases/rel7.6.3.html#rel7-6-3 > - https://varnish-cache.org/releases/rel6.0.14.html#rel6-0-14 > > -- > Asad
