CVE-2025-47905: 
Alma Linux vulnerability analysis and mitigation

A client-side desynchronization vulnerability (CVE-2025-47905) was discovered in Varnish Cache (versions before 7.6.3 and 7.7 before 7.7.1) and Varnish Enterprise (before 6.0.13r14). The vulnerability was disclosed on May 12, 2025, and allows client-side desync via HTTP/1 requests due to incorrect handling of CRLF in chunk boundaries (Varnish Advisory, NVD).

The vulnerability stems from a flaw in Varnish's handling of chunked transfer encoding where the software incorrectly permits CRLF to be skipped to delimit chunk boundaries in HTTP/1 chunked requests. This improper framing of the message body can be exploited to smuggle additional requests. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N and is categorized under CWE-444 (Inconsistent Interpretation of HTTP Requests) (NVD, Wiz).

The primary impact includes potential cache poisoning attacks where downstream caches positioned in front of Varnish could cache incorrect or malicious content, potentially exposing sensitive information or delivering harmful payloads. Additionally, it could enable bypass of WAF-type products downstream from Varnish if these products are configured to not inspect request bodies and allow malformed HTTP/1 requests (Varnish Advisory).

If immediate upgrading is not possible, a temporary mitigation involves adding VCL code to fail all client requests using Transfer-encoding: chunked, though this may impact legitimate client traffic. The recommended solution is to upgrade to Varnish Cache 7.7.1, 7.6.3, 6.0.14 LTS, or Varnish Enterprise 6.0.13r14, which have patched the vulnerability (Varnish Advisory).