CVE-2025-30346

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-30346
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://varnish-cache.org/security/VSV00015.html Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/03/msg00027.html
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r9:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r9:*:*:*:*:*:*
cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*
History

02 Apr 2025, 22:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/03/msg00027.html -

24 Mar 2025, 14:47

Type Values Removed Values Added
CPE cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r3:*:*:*:*:*:*
cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r9:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r9:*:*:*:*:*:*
Summary
  • (es) Varnish Cache anterior a 7.6.2 y Varnish Enterprise anterior a 6.0.13r10 permiten la desincronización del lado del cliente a través de solicitudes HTTP/1.
First Time Varnish Cache Project
Varnish-software
Varnish-software varnish Enterprise
Varnish Cache Project varnish Cache
References () https://varnish-cache.org/security/VSV00015.html - () https://varnish-cache.org/security/VSV00015.html - Vendor Advisory

21 Mar 2025, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-21 07:15

Updated : 2025-04-02 22:15

NVD link : CVE-2025-30346

Mitre link : CVE-2025-30346

CVE.ORG link : CVE-2025-30346

JSON object : View

Products Affected

varnish_cache_project

  • varnish_cache

varnish-software

  • varnish_enterprise
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')