- CVE: CVE-2026-47905
- CVSS: 6.2 (Medium · CVSSv3)
- Product: Adobe CAI Content Credentials
- Affected: ≤ c2pa-v0.80.1
- Impact: CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)
- Status: No confirmed exploitation yet
- EPSS: 0.2% (30-day)
- Action: See vendor advisory
Varnish Software has disclosed a client-side desynchronization vulnerability, tracked as CVE-2025-47905, in both Varnish Cache and Varnish Enterprise, which under certain malformed HTTP/1 chunked request conditions, may allow HTTP request smuggling attacks. Though rated as low to medium severity, this flaw can lead to cache poisoning, WAF bypass, and other downstream security risks if unpatched.
“An attacker can abuse a flaw in Varnish’s handling of chunked transfer encoding… to smuggle additional requests,” the advisory explains.
The vulnerability stems from improper handling of chunked transfer encoding in HTTP/1 requests. Varnish incorrectly permits CRLF characters to be skipped, breaking the proper framing of HTTP request bodies and enabling request smuggling.
“Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries,” allowing attackers to slip in additional, hidden requests through crafted payloads.
This desynchronization issue poses multiple downstream threats:
- Cache Poisoning: If a downstream cache accepts the malformed requests, it may cache unintended or malicious content, serving manipulated pages to other users.
- WAF Bypass: If Web Application Firewalls (WAFs) are configured to ignore request bodies and do not properly parse malformed chunked requests, attackers could bypass security filters.
Affected Versions
- Varnish Cache: Up to and including version 7.7.0
- Varnish Cache 6.0 LTS: Up to and including 6.0.13
- Varnish Enterprise: Versions up to and including 6.0.13r13
Fixed Versions
- Varnish Cache 7.7.1, 7.6.3, and 6.0.14
- Varnish Enterprise 6.0.13r14
All fixed versions were released between April and May 2025, and the advisory strongly urges users to upgrade and restart Varnish to apply the fix.
For environments where immediate upgrading is not feasible, a VCL-based workaround is suggested:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.