CVE-2025-47905 Information

Description

Varnish Cache before 7.6.3 and 7.7 before 7.7.1 and Varnish Enterprise before 6.0.13r14 allow client-side desync via HTTP/1 requests because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.

Reference

https://varnish-cache.org/security/VSV00016.html