Varnish Cache@* Security Vulnerabilities and Issues — Varnish Cache@* CVE List

Lucene search

Varnish Cache ProjectVarnish Cache*

10 matches found

CVE•added 2023/10/10 2:15 p.m.•4676 views

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5CVSS8AI score0.94414EPSS

In wildWeb

CVE•added 2019/09/03 9:15 p.m.•1383 views

CVE-2019-15892

An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service ...

7.8CVSS7.2AI score0.05554EPSS

CVE•added 2017/11/16 2:29 a.m.•472 views

CVE-2017-8807

vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to obtain sensitive information from process memory because a VFP_GetStorage buffer is larger than intended in certain circumstances involving -sfile Stevedore tra...

9.1CVSS8.8AI score0.01748EPSS

CVE•added 2022/01/26 1:15 a.m.•231 views

CVE-2022-23959

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.

9.1CVSS9AI score0.0051EPSS

CVE•added 2021/07/14 5:15 p.m.•178 views

CVE-2021-36740

Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.

6.5CVSS6.5AI score0.00122EPSS

CVE•added 2022/11/09 6:15 a.m.•131 views

CVE-2022-45060

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce inva...

7.5CVSS7.3AI score0.00596EPSS

CVE•added 2022/11/09 6:15 a.m.•74 views

CVE-2022-45059

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.

7.5CVSS7.2AI score0.00465EPSS

CVE•added 2025/03/21 7:15 a.m.•59 views

CVE-2025-30346

Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.

5.4CVSS7.1AI score0.00059EPSS

CVE•added 2013/11/01 2:55 a.m.•57 views

CVE-2013-4484

Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI.

5CVSS6.3AI score0.01461EPSS

CVE•added 2020/02/12 4:15 p.m.•43 views

CVE-2013-4090

Varnish HTTP cache before 3.0.4: ACL bug

7.5CVSS7.5AI score0.00351EPSS