Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.
AnalysisAI
Varnish Enterprise before version 6.0.16r12 is vulnerable to a workspace overflow denial of service attack that crashes the daemon through the headerplus.write_req0() VCL function. Unauthenticated remote attackers can craft HTTP requests with excessive header fields to trigger a panic and terminate the Varnish server, particularly impacting deployments using shared VCL through Varnish Controller. CVSS base score of 4.0 reflects low availability impact with high attack complexity, and no public exploit code or confirmed active exploitation has been identified.
Technical ContextAI
Varnish Enterprise is a reverse proxy and HTTP accelerator that uses VCL (Varnish Configuration Language) for request processing. The vmod_headerplus module provides the write_req0() function to update the underlying req0 object (the original read-only request from which the writable req object is derived in VCL). This capability is essential for shared VCL deployments orchestrated by Varnish Controller, where requests are refined in one VCL context before switching to another via vcl(<label>) return statements. The vulnerability stems from insufficient bounds checking when writing amended request headers back to req0's workspace allocation. When the amended req object contains more header fields than req0's workspace can accommodate, a buffer overflow occurs in the workspace memory region, triggering a daemon panic. The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the function lacks proper validation of header field count or size before attempting the write operation.
RemediationAI
Upgrade Varnish Enterprise to version 6.0.16r12 or later. This release includes fixes to the headerplus.write_req0() function to properly validate header field counts and workspace capacity before writing amended request headers back to req0, preventing the workspace overflow condition. As a temporary workaround for organizations unable to upgrade immediately, review and restrict VCL configurations that invoke headerplus.write_req0(), ensuring that incoming requests are validated or rate-limited to prevent excessive header field injection attacks. Consult the Varnish Software security advisory at https://docs.varnish-software.com/security/VEV00003/ for detailed patching procedures and configuration guidance specific to your deployment.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21740