Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.
varnish-devel Red Hat / RHEL
varnish-docs Red Hat / RHEL
varnish-modules Rocky
Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.x86_64::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.src::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.ppc64le::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.src::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.src::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.aarch64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-4.module+el8+2481+4078e9d2.src::varnish:6 RHSA-2025:8339 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.src::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.x86_64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-4.module+el8+2481+4078e9d2.x86_64::varnish:6 RHSA-2025:8339 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.ppc64le::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.s390x::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8294 varnish-modules Red Hat / RHEL
Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.src::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.src::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.ppc64le::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-4.module+el8+2481+4078e9d2.x86_64::varnish:6 RHSA-2025:8339 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.x86_64::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.src::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-4.module+el8+2481+4078e9d2.src::varnish:6 RHSA-2025:8339 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.src::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.ppc64le::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.s390x::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.aarch64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.x86_64::varnish:6 RHSA-2025:8336 varnish-modules-debuginfo Rocky
Fixed in: 0:0.15.0-4.module+el8+2481+4078e9d2.x86_64::varnish:6 RHSA-2025:8339 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.s390x::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.x86_64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.ppc64le::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.x86_64::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.ppc64le::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.aarch64::varnish:6 RHSA-2025:8336 varnish-modules-debuginfo Red Hat / RHEL
Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.ppc64le::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-4.module+el8+2481+4078e9d2.x86_64::varnish:6 RHSA-2025:8339 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.aarch64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.ppc64le::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.x86_64::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.x86_64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.s390x::varnish:6 RHSA-2025:8336 varnish-modules-debugsource Rocky
Fixed in: 0:0.15.0-4.module+el8+2481+4078e9d2.x86_64::varnish:6 RHSA-2025:8339 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.x86_64::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.s390x::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.ppc64le::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.aarch64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.ppc64le::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.x86_64::varnish:6 RHSA-2025:8336 varnish-modules-debugsource Red Hat / RHEL
Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.ppc64le::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-4.module+el8+2481+4078e9d2.x86_64::varnish:6 RHSA-2025:8339 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.x86_64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.aarch64::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.aarch64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.x86_64::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.s390x::varnish:6 RHSA-2025:8310 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.x86_64::varnish:6 RHSA-2025:8340 Fixed in: 0:0.15.0-6.module+el8.5.0+11976+0b4af72d.ppc64le::varnish:6 RHSA-2025:8294 Fixed in: 0:0.15.0-6.module+el8.10.0+21682+bcdd3a30.s390x::varnish:6 RHSA-2025:8336 Fixed in: 0:0.15.0-5.module+el8.3.0+6843+b3b42fcc.ppc64le::varnish:6 RHSA-2025:8340 Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
Exploitability
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Changed
Impact
Confidentiality Low
Integrity Low
Availability None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
0.30% probability of exploitation in 30 days
22nd percentile
Low risk: more likely to be exploited than 22% of all known CVEs.
Other CWE-444 vulnerabilities, ordered by exploit likelihood. View all
Embed a live status badge for CVE-2025-47905 Markdown
[](https://tridentstack.com/cve/CVE-2025-47905)HTML
<a href="https://tridentstack.com/cve/CVE-2025-47905"><img src="https://tridentstack.com/cve/badge/CVE-2025-47905.svg" alt="CVE-2025-47905"></a>Find and fix vulnerabilities across your fleet TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start free This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-05-29.