Varnish Cache 6.5 / Varnish Modules 0.17.0 Denial of Service Security

Published March 16, 2021.


A problem has been found in the Header VMOD of the Varnish Modules collection of frequently used VMODs. It applies to version 0.17.0 of Varnish Modules, which is only compatible with the 6.5 version of Varnish Cache.

It makes it possible for common usage patterns of the Header VMOD in VCL to open up remote triggering of an assert or NULL pointer dereference in Varnish Cache, causing Varnish Cache to assert and restart.

More information, including instructions for how to identify vulnerable setups and workaround instructions, may be found at the information page by the Varnish Cache project.

Notice that Varnish Modules as it is bundled in Varnish Enterprise is not affected. Also the version of Varnish Modules for use with Varnish Cache 6.0-LTS is not affected.

Versions affected

  • Varnish Modules version 0.17.0 for Varnish Cache version 6.5.

Versions not affected

  • All other releases of Varnish Modules for all other releases of Varnish Cache, including the 6.0-LTS series.

  • All bundled versions of Varnish Modules in Varnish Enterprise.