Security, bugs & vulnerabilities

List of all Varnish CVEs

VersionsCVEWhat
5.x, 6.x, 7.x, 8.0N/AVSV00018 Varnish Cache absolute form parsing deficiency
5.x, 6.x, 7.xCVE-2025-8671VSV00017 Varnish HTTP/2 Made You Reset Attack
6.x, 7.xCVE-2025-47905VSV00016 Request Smuggling Attack
7.xCVE-2025-30346VSV00015 Varnish HTTP/1 client-side desync vulnerability
5.x, 6.x, 7.xCVE-2024-30156VSV00014 Varnish HTTP/2 Broke Window Attack
5.x, 6.x, 7.xCVE-2023-44487VSV00013 Varnish HTTP/2 Rapid Reset Attack
vmod_digestCVE-2023-41104VSV00012 Base64 decoding vulnerability in vmod-digest
6.x, 7.xCVE-2022-45060VSV00011 Varnish HTTP/2 Request Forgery Vulnerability
7.0, 7.1, 7.2CVE-2022-45059VSV00010 Varnish Request Smuggling Vulnerability
7.0, 7.1CVE-2022-38150VSV00009 Varnish Denial of Service Vulnerability
< 7.0.2CVE-2022-23959VSV00008 Varnish HTTP/1 Request Smuggling Vulnerability
6.0, 6.5, 6.6CVE-2021-36740VSV00007 Varnish HTTP/2 Request Smuggling Attack
(6.5)CVE-2021-28543VSV00006 varnish-modules Denial of Service
6.0, 6.2, 6.3CVE-2020-11653VSV00005 Varnish HTTP Proxy Protocol V2 Denial of Service
6.0, 6.2, 6.3CVE-2019-20637VSV00004 Workspace information leak
6.0, 6.2CVE-2019-15892VSV00003 DoS attack vector
4.1, 5.2CVE-2017-8807VSV00002 Data leak - ‘-sfile’ Stevedore transient objects
4.x, 5.xCVE-2017-12425VSV00001 DoS vulnerability
< 3.0.5CVE-2013-4484DoS
<= 3.0.3CVE-2013-0345Local information leak
2.0.6CVE-2009-4488Trophy hunting
< 2.1.0CVE-2009-2936Trophy hunting

Reporting security vulnerabilities

New security vulnerabilities can be reported by sending an e-mail to security@varnish-software.com or announce@vinyl-cache.org.