Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+NO1zTqeNPvwupEFgcr6T4NgU3V93vtJ8eEpmAHYMGjvpR6YQ@mail.gmail.com>
Date: Tue, 13 May 2025 16:57:33 +0200
From: Asad Ahmed <asadsa@...nish-software.com>
To: oss-security@...ts.openwall.com
Subject: VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request Smuggling Attack

Hello there,

We released Varnish Cache 7.7.1, 7.6.3, and 6.0.14 yesterday (sorry for the
delay).

These releases fixes a vulnerability reported to us, which got the name
VSV00016.


*CVE*: Not assigned yet, expect a follow-up here.

A client-side desync vulnerability can be triggered in Varnish Cache. This
vulnerability can be triggered under specific circumstances involving
malformed HTTP/1 chunked requests.

An attacker can abuse a flaw in Varnish’s handling of chunked transfer
encoding which allows certain malformed HTTP/1 requests to exploit improper
framing of the message body to smuggle additional requests. Specifically,
Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries.
Impact <https://varnish-cache.org/security/VSV00016.html#impact>

The primary risk of this vulnerability is enabling HTTP request smuggling
attacks, which could have consequences for downstream systems. Specifically:

*Cache Poisoning*: A downstream cache positioned in front of Varnish could
cache incorrect or malicious content if it allows the aforementioned
malformed HTTP/1 requests to pass through unhandled. This can lead to
unintended responses being served to users, potentially exposing sensitive
information or delivering harmful payloads.

*Security Risks*: Bypass of WAF type products downstream from Varnish could
be achieved if these products are configured to not inspect request bodies
and in addition allow the aforementioned malformed HTTP/1 requests to pass
through.

The vulnerability has been given a severity rating of *low/medium*.
Versions affected
<https://varnish-cache.org/security/VSV00016.html#versions-affected>

   -

   Varnish Cache releases up to and including 7.7.0.
   -

   Varnish Cache 6.0 LTS series up to and including 6.0.13.

Versions not affected
<https://varnish-cache.org/security/VSV00016.html#versions-not-affected>

   -

   Varnish Cache 7.7.1 (released 2025-05-12)
   -

   Varnish Cache 7.6.3 (released 2025-05-12)
   -

   Varnish Cache 6.0 LTS version 6.0.14 (released 2025-05-12)

Solution <https://varnish-cache.org/security/VSV00016.html#solution>

The recommended solution is to upgrade Varnish to one of the versions where
this issue has been resolved, and then ensure that Varnish is restarted.
Thankyous and credits
<https://varnish-cache.org/security/VSV00016.html#thankyous-and-credits>

Ben Kallus at Dartmouth College for finding and reporting the issue to the
project in a responsible manner.
Nils Goroll (UPLEX), Dridi Boukelmoune (Varnish Software) and Poul-Henning
Kamp for the patches.
Varnish Software for handling this security incident.

References:

- https://varnish-cache.org/security/VSV00016.html#vsv00016
- https://varnish-cache.org/security/index.html
-
https://varnish-cache.org/lists/pipermail/varnish-announce/2025-May/000767.html
- https://github.com/varnishcache/varnish-cache
- https://varnish-cache.org/releases/rel7.7.1.html#rel7-7-1
- https://varnish-cache.org/releases/rel7.6.3.html#rel7-6-3
- https://varnish-cache.org/releases/rel6.0.14.html#rel6-0-14

-- 
Asad

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.