CVE-2025-47905
MEDIUMVarnish Cache <7.6.3-7.7.1 & Varnish Enterprise <6.0.13r14 - Open R...
Title source: llmDescription
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
Scores
CVSS v3
5.4
EPSS
0.0029
EPSS Percentile
52.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-444
Status
published
Products (3)
varnish-software/Varnish Cache
< 6.0.14 LTS
varnish-software/Varnish Cache
7.0.0 - 7.6.3
varnish-software/Varnish Cache
7.7.0 - 7.7.1
Published
May 13, 2025
Tracked Since
Feb 18, 2026