VDB

CVE-2025-47905

CVE-2025-47905 PUBLISHED

Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.

EPSS 0.29% · 52.8th percentile

Risk Scores

EPSS Score
0.29%
52.8th percentile

Affected Products

VendorProductVersions
Bitnamivarnish7.0.0, 0
Bitnamivarnish7.0.0, 0

Timeline

  • May 12, 2025 CVE Published
  • May 14, 2025 EPSS Score
  • May 14, 2025 PoC Published
  • May 15, 2025 PoC Published
  • May 25, 2025 EPSS Score
  • Jun 6, 2025 EPSS Score
  • Jun 17, 2025 EPSS Score
  • Jun 20, 2025 Coalition ESS Score
  • Jun 29, 2025 EPSS Score
  • Jul 10, 2025 EPSS Score
  • Jul 21, 2025 EPSS Score
  • Jul 31, 2025 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›