CVE-2025-47905

Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.

References

Affected packages

Debian:11 / varnish

Package

Name: varnish
Purl: pkg:deb/debian/varnish?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.1-1+deb11u5

Affected versions

6.*

6.5.1-1

6.5.1-1+deb11u1

6.5.1-1+deb11u2

6.5.1-1+deb11u3

6.5.1-1+deb11u4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / varnish

Package

Name: varnish
Purl: pkg:deb/debian/varnish?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.1.1-2+deb12u1

Affected versions

7.*

7.1.1-1.1

7.1.1-1.1+deb12u1

7.1.1-1.2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / varnish

Package

Name: varnish
Purl: pkg:deb/debian/varnish?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.7.0-2

Affected versions

7.*

7.1.1-1.1

7.1.1-1.2

7.5.0-1

7.5.0-2

7.5.0-3

7.6.0-1

7.6.0-2

7.6.1-1

7.6.1-2

7.7.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}