[manjaro-security] [ASA-202505-13] varnish: content spoofing

Andrea Denisse denisse at archlinux.org
Wed May 28 01:37:33 CEST 2025


Arch Linux Security Advisory ASA-202505-13
==========================================

Severity: High
Date    : 2025-05-20
CVE-ID  : CVE-2025-47905
Package : varnish
Type    : content spoofing
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2879

Summary
=======

The package varnish before version 7.7.1-1 is vulnerable to content
spoofing.

Resolution
==========

Upgrade to 7.7.1-1.

# pacman -Syu "varnish>=7.7.1-1"

The problem has been fixed upstream in version 7.7.1.

Workaround
==========

None.

Description
===========

A client-side desync vulnerability can be triggered in Varnish Cache.
This vulnerability can be triggered under specific circumstances
involving malformed HTTP/1 chunked requests.

An attacker can abuse a flaw in Varnish’s handling of chunked transfer
encoding which allows certain malformed HTTP/1 requests to exploit
improper framing of the message body to smuggle additional requests.
Specifically, Varnish incorrectly permits CRLF to be skipped to delimit
chunk boundaries.

Impact
======

A remote attacker able to send specially crafted HTTP/1 chunked
requests can exploit Varnish to smuggle additional requests,
potentially leading to information disclosure and allowing incorrect or
malicious content to be cached and served to other users.

References
==========

https://varnish-cache.org/releases/rel7.7.1.html
https://varnish-cache.org/security/VSV00016.html
https://varnish-cache.org/lists/pipermail/varnish-announce/2025-May/000767.html
https://security.archlinux.org/CVE-2025-47905


More information about the manjaro-security mailing list