Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Varnish-software
  • Varnish Enterprise
Varnish Cache Project
  • Varnish Cache

Configuration 1 [-]

OR cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r9:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r9:*:*:*:*:*:*
cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*

No data.

References
Link Providers
https://lists.debian.org/debian-lts-announce/2025/03/msg00027.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-30346 cve-icon
https://varnish-cache.org/security/VSV00015.html cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-30346 cve-icon
History

Thu, 03 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Apr 2025 22:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Varnish-software
Varnish-software varnish Enterprise
Varnish Cache Project
Varnish Cache Project varnish Cache
CPEs cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.11:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.12:r9:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r1:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r2:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r3:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r4:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r5:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r6:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r7:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r8:*:*:*:*:*:*
cpe:2.3:a:varnish-software:varnish_enterprise:6.0.13:r9:*:*:*:*:*:*
cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*
Vendors & Products Varnish-software
Varnish-software varnish Enterprise
Varnish Cache Project
Varnish Cache Project varnish Cache

Fri, 21 Mar 2025 15:00:00 +0000

Type Values Removed Values Added
Title varnish: Client-Side Desynchronization in Varnish Cache
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 21 Mar 2025 06:45:00 +0000

Type Values Removed Values Added
Description Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-04-03T13:05:21.274Z

Reserved: 2025-03-21T00:00:00.000Z

Link: CVE-2025-30346

cve-icon Vulnrichment

Updated: 2025-04-02T22:03:26.875Z

cve-icon NVD

Status : Modified

Published: 2025-03-21T07:15:37.350

Modified: 2025-04-02T22:15:20.097

Link: CVE-2025-30346

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-03-21T00:00:00Z

Links: CVE-2025-30346 - Bugzilla