---

CVE-2025-47905 - log back

CVE-2025-47905 edited at 21 May 2025 21:28:34
Type	- Information disclosure + Content spoofing

CVE-2025-47905 created at 20 May 2025 20:32:25
Severity	+ High
Remote	+ Remote
Type	+ Information disclosure
Description	+ A client-side desync vulnerability can be triggered in Varnish Cache. This vulnerability can be triggered under specific circumstances involving malformed HTTP/1 chunked requests. + + An attacker can abuse a flaw in Varnish’s handling of chunked transfer encoding which allows certain malformed HTTP/1 requests to exploit improper framing of the message body to smuggle additional requests. Specifically, Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries.
References	+ https://varnish-cache.org/releases/rel7.7.1.html + https://varnish-cache.org/security/VSV00016.html + https://varnish-cache.org/lists/pipermail/varnish-announce/2025-May/000767.html
Notes