Note: This issue applies only to the open source version of Varnish Cache, in version 7.0.x, 7.1.x and 7.2.x. Varnish Enterprise is not affected. For more information please see the open source project’s advisory page.
A request smuggling attack can be performed on Varnish Cache servers by
requesting that certain headers are made hop-by-hop, preventing the
Varnish Cache servers from forwarding critical headers to the
backend. Among the headers that can be filtered this way are both
Content-Length
and Host
, making it possible for an attacker to both
break the HTTP/1 protocol framing, and bypass request to host routing
in VCL.
The potential impact is information disclosure and cache poisoning.