| Package | varnish |
|---|---|
| Version | 6.1.1-1+deb10u5 (buster) |
| Related CVEs | CVE-2025-30346 CVE-2025-47905 |
Two client-side desync vulnerabilities can be triggered in Varnish, a high-performance web accelerator. An attacker can exploit these flaws when using malformed HTTP/1 requests. The primary risk of these vulnerabilities is enabling HTTP request smuggling attacks which could lead to cache poisoning or the bypass of a web application firewall.
For Debian 10 buster, these problems have been fixed in version 6.1.1-1+deb10u5.
We recommend that you upgrade your varnish packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.