Vulnerabilities > Varnish Software

DATE CVE VULNERABILITY TITLE RISK
2025-03-21 CVE-2025-30346 HTTP Request Smuggling vulnerability in multiple products
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
4.8
2025-03-21 CVE-2025-30347 Out-of-bounds Read vulnerability in Varnish-Software Varnish Enterprise 6.0.13
Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-bounds read for range requests on ephemeral MSE4 stevedore objects.
network
low complexity
varnish-software CWE-125
7.5
2023-08-23 CVE-2023-41104 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Varnish-Software Varnish Enterprise and Vmod Digest
libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information disclosure; however, the exact attack surface will depend on the particular VCL (Varnish Configuration Language) configuration in use.
network
low complexity
varnish-software CWE-119
6.5
2022-11-09 CVE-2022-45060 An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. 7.5
2022-01-26 CVE-2022-23959 HTTP Request Smuggling vulnerability in multiple products
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
9.1
2021-07-14 CVE-2021-36740 HTTP Request Smuggling vulnerability in multiple products
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request.
6.5
2020-04-08 CVE-2020-11653 Reachable Assertion vulnerability in multiple products
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2.
7.5
2020-04-08 CVE-2019-20637 Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1.
7.5
2019-09-03 CVE-2019-15892 Reachable Assertion vulnerability in multiple products
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1.
7.5
2017-08-04 CVE-2017-12425 Integer Overflow or Wraparound vulnerability in multiple products
An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2.
7.5