Search

Open Source Varnish Request Smuggling Security

Published November 8, 2022.

Note: This issue applies only to the open source version of Varnish Cache, in version 7.0.x, 7.1.x and 7.2.x. Varnish Enterprise is not affected. For more information please see the open source project’s advisory page.

A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. Among the headers that can be filtered this way are both Content-Length and Host, making it possible for an attacker to both break the HTTP/1 protocol framing, and bypass request to host routing in VCL.

Impact

The potential impact is information disclosure and cache poisoning.

Status

Affectec software versions

  • Varnish Cache releases 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.2.0

Resolved in

  • Varnish Cache 7.1.2 (released 2022-11-08)
  • Varnish Cache 7.2.1 (released 2022-11-08)

Not affected software versions

  • All versions of Varnish Cache 6.0 LTS series and Varnish Enterprise by Varnish Software.

References