Description
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
Scores
CVSS v3
5.4
EPSS
0.0040
EPSS Percentile
60.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-444
Status
published
Products (4)
varnish-software/varnish_enterprise
6.0.11 r1 (7 CPE variants)
varnish-software/varnish_enterprise
6.0.12 r1 (9 CPE variants)
varnish-software/varnish_enterprise
6.0.13 r1 (9 CPE variants)
varnish_cache_project/varnish_cache
< 7.6.2
Published
Mar 21, 2025
Tracked Since
Feb 18, 2026