| Package | varnish |
|---|---|
| Version | 5.0.0-7+deb9u4 (stretch) |
| Related CVEs | CVE-2025-47905 |
A client-side desync vulnerability can be triggered in Varnish Cache, a state of the art, high-performance web accelerator. An attacker can abuse a flaw in Varnish’s handling of chunked transfer encoding which allows certain malformed HTTP/1 requests to exploit improper framing of the message body to smuggle additional requests. Specifically, Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries.
For Debian 9 stretch, these problems have been fixed in version 5.0.0-7+deb9u4.
We recommend that you upgrade your varnish packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.