Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green
Lifecycle Timeline
3DescriptionCVE.org
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.
AnalysisAI
HTTP/2 request parsing in Vinyl Cache and Varnish Cache enables backend request desync (HTTP request smuggling), exploitable for cache poisoning, authentication bypass, and information disclosure against affected deployments. Vinyl Cache prior to 9.0.1 and Varnish Cache prior to 9.0.3, plus legacy pre-split Varnish Cache branches spanning versions 6.0.14 through 8.0.1, are confirmed affected across three distinct CPE lineages. Exploitation is gated behind an explicitly non-default configuration - HTTP/2 must be enabled via the +http2 feature parameter - which substantially limits exposure; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
Vinyl Cache and Varnish Cache are HTTP reverse proxy caches that mediate traffic between clients and backend origin servers. CWE-444 (Inconsistent Interpretation of HTTP Requests - HTTP Request/Response Smuggling) identifies the root cause class: the HTTP/2 request parser fails to consistently resolve request framing boundaries, causing the backend server to interpret the byte stream differently than the caching proxy does. This frontend/backend desync allows an attacker to inject a hidden second HTTP request into the backend's processing queue, ahead of or interleaved with requests from other users. The affected CPE strings - cpe:2.3:a:the_vinyl_cache_project:vinyl_cache, cpe:2.3:a:the_vinyl_cache_project:varnish_cache_(pre_split), and cpe:2.3:a:varnish_software:varnish_cache_by_varnish_software - confirm the parsing deficiency spans all three product lineages when HTTP/2 is active, with the vulnerability only reachable through the HTTP/2 code path introduced by the feature +http2 parameter.
RemediationAI
Upgrade Vinyl Cache to version 9.0.1 or later, and Varnish Cache by Varnish Software to version 9.0.3 or later, as detailed in the security advisory at https://vinyl-cache.org/security/VSV00019.html. For pre-split Varnish Cache installations on the 6.0.x (6.0.14-6.0.17) and 7.x-8.x (7.6.0-8.0.1) branches, consult the advisory directly to determine whether backport patches have been released for those branches, as specific fix versions for these older lineages are not confirmed in currently available data. If an immediate upgrade is not feasible, the most targeted compensating control is to remove the +http2 flag from the feature parameter in the Varnish or Vinyl Cache VCL configuration, disabling HTTP/2 entirely - this eliminates the attack vector at its source with no residual exposure from this CVE. The trade-off is reduced performance and multiplexing capability for HTTP/2-capable clients. Placing a hardening TLS-terminating load balancer in front of the cache that strictly normalizes and validates HTTP/2 framing before forwarding is a secondary mitigation, but adds operational complexity and does not guarantee elimination of all desync vectors.
More in Vinyl Cache
View allSame weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Information Disclosure
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bullseye (security) | fixed | 6.5.1-1+deb11u5 | - |
| bookworm, bookworm (security) | fixed | 7.1.1-2+deb12u1 | - |
| trixie | fixed | 7.7.0-3+deb13u1 | - |
| trixie (security) | fixed | 7.7.0-3+deb13u1 | - |
| forky, sid | vulnerable | 7.7.3-2 | - |
| bookworm | not-affected | - | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34066
GHSA-mwjg-3fm6-9v84