Search criteria
2 vulnerabilities found for Varnish Cache by Varnish Software by Varnish Software
CVE-2026-50052 (GCVE-0-2026-50052)
Vulnerability from nvd – Published: 2026-06-03 03:56 – Updated: 2026-06-03 13:27
VLAI
Summary
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync
attack (request smuggling), which in turn can be used for cache poisoning,
authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the
feature parameter to contain +http2. HTTP/2 support is disabled by
default.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| The Vinyl Cache Project | Vinyl Cache |
Affected:
9.0.0
Unaffected: 9.0.1 |
|
| The Vinyl Cache Project | Varnish Cache (pre split) |
Affected:
7.6.0 , ≤ 8.0.1
(semver)
Unaffected: 8.0.2 Affected: 6.0.14 , ≤ 6.0.17 (semver) Unaffected: 6.0.18 |
|
| Varnish Software | Varnish Cache by Varnish Software |
Affected:
9.0.0 , ≤ 9.0.2
(semver)
Unaffected: 9.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50052",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:27:03.836713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:27:33.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vinyl Cache",
"programFiles": [
"bin/vinyld/http2/cache_http2_hpack.c"
],
"repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache",
"vendor": "The Vinyl Cache Project",
"versions": [
{
"status": "affected",
"version": "9.0.0"
},
{
"status": "unaffected",
"version": "9.0.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Varnish Cache (pre split)",
"programFiles": [
"bin/varnishd/http2/cache_http2_hpack.c"
],
"repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache",
"vendor": "The Vinyl Cache Project",
"versions": [
{
"lessThanOrEqual": "8.0.1",
"status": "affected",
"version": "7.6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.0.2"
},
{
"lessThanOrEqual": "6.0.17",
"status": "affected",
"version": "6.0.14",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "6.0.18"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Varnish Cache by Varnish Software",
"programFiles": [
"bin/vinyld/http2/cache_http2_hpack.c"
],
"repo": "https://github.com/varnish/varnish",
"vendor": "Varnish Software",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.0.3"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ehttp2 enabled\u003c/div\u003e\u003cdiv\u003eexploitable URLs present (require request body)\u003c/div\u003e"
}
],
"value": "http2 enabled\n\nexploitable URLs present (require request body)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync\nattack (request smuggling), which in turn can be used for cache poisoning,\nauthentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the\nfeature parameter to contain +http2. HTTP/2 support is disabled by\ndefault."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:59:35.155Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://vinyl-cache.org/security/VSV00019.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eUpdate to fix version\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Update to fix version"
}
],
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eDisable HTTP/2\u003c/h3\u003e\u003cp\u003eThe vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evinyladm param.set feature -http2\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by removing \u003ccode\u003e-p feature=+http2\u003c/code\u003e from the \u003ccode\u003evinyld\u003c/code\u003e startup\nparameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the \u003ccode\u003eh2\u003c/code\u003e ALPN. For example with \u003ccode\u003ehaproxy\u003c/code\u003e, in the\n\u003ccode\u003elisten\u003c/code\u003e/\u003ccode\u003ebind\u003c/code\u003e configuration directive, \u003ccode\u003ealpn h2,http/1.1\u003c/code\u003e should be\nreplaced with \u003ccode\u003ealpn http/1.1\u003c/code\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\n\n\n\n * at runtime by issuing vinyladm param.set feature -http2\n\n\n\n * persistently by removing -p feature=+http2 from the vinyld startup\nparameters\n\n\n\n\n\n\nNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the h2 ALPN. For example with haproxy, in the\nlisten/bind configuration directive, alpn h2,http/1.1 should be\nreplaced with alpn http/1.1."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eIn VCL, add a vmod re2 header filter\u003c/h3\u003e\u003cp\u003eThis method requires \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e header filters (see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://vinyl-cache.org/tutorials/hdr_filter.html\"\u003etutorial\u003c/a\u003e for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\u003c/p\u003e\n\u003cp\u003eTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n new sane = re2.set(anchor=start, case_sensitive=false);\n # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n sane.add(\"[-!#$%\u0026amp;\u0027*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eTo the best of our knowledge, where \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e is already used with a\n\u003ccode\u003ehdr_filter\u003c/code\u003e in allow mode (second argument \u003ccode\u003etrue\u003c/code\u003e), protection is already\nsufficient unless the empty string is allowed.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In VCL, add a vmod re2 header filterThis method requires vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 .\n\n\n vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 header filters (see the tutorial https://vinyl-cache.org/tutorials/hdr_filter.html for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\n\n\nTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\n\n\n## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n new sane = re2.set(anchor=start, case_sensitive=false);\n # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n sane.add(\"[-!#$%\u0026\u0027*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nTo the best of our knowledge, where vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 is already used with a\nhdr_filter in allow mode (second argument true), protection is already\nsufficient unless the empty string is allowed."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch4\u003e\u0026gt;= 7.6.0 plain VCL mitigation\u003c/h4\u003e\u003cp\u003eFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\u003c/p\u003e\n\u003cp\u003eFor Vinyl Cache:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evinyladm param.set vcc_feature +allow_inline_c\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by adding \u003ccode\u003e-p vcc_feature=+allow_inline_c\u003c/code\u003e to the \u003ccode\u003evinyld\u003c/code\u003e\nstartup parameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFor Varnish Cache:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evarnishadm param.set vcc_feature +allow_inline_c\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by adding \u003ccode\u003e-p vcc_feature=+allow_inline_c\u003c/code\u003e to the \u003ccode\u003evarnishd\u003c/code\u003e\nstartup parameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n C{\n VRT_SetHdr(ctx, \u0026amp;VGC_HDR_REQ_content_2d_length, 0,\n TOSTRAND(VRT_GetHdr(ctx, \u0026amp;VGC_HDR_REQ_content_2d_length)));\n }C\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIn addition, care must be taken that \u003ccode\u003ebereq.http.Connection\u003c/code\u003e is not unset\nanywhere else in the custom VCL.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "\u003e= 7.6.0 plain VCL mitigationFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\n\n\nFor Vinyl Cache:\n\n\n\n * at runtime by issuing vinyladm param.set vcc_feature +allow_inline_c\n\n\n\n * persistently by adding -p vcc_feature=+allow_inline_c to the vinyld\nstartup parameters\n\n\n\n\n\n\nFor Varnish Cache:\n\n\n\n * at runtime by issuing varnishadm param.set vcc_feature +allow_inline_c\n\n\n\n * persistently by adding -p vcc_feature=+allow_inline_c to the varnishd\nstartup parameters\n\n\n\n\n\n\nBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n C{\n VRT_SetHdr(ctx, \u0026VGC_HDR_REQ_content_2d_length, 0,\n TOSTRAND(VRT_GetHdr(ctx, \u0026VGC_HDR_REQ_content_2d_length)));\n }C\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch4\u003e6.0 plain VCL mitigation\u003c/h4\u003e\u003cp\u003eFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIn addition, care must be taken that \u003ccode\u003ebereq.http.Connection\u003c/code\u003e is not unset\nanywhere else in the custom VCL.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-50052",
"datePublished": "2026-06-03T03:56:01.974Z",
"dateReserved": "2026-06-03T03:56:01.075Z",
"dateUpdated": "2026-06-03T13:27:33.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50052 (GCVE-0-2026-50052)
Vulnerability from cvelistv5 – Published: 2026-06-03 03:56 – Updated: 2026-06-03 13:27
VLAI
Summary
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync
attack (request smuggling), which in turn can be used for cache poisoning,
authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the
feature parameter to contain +http2. HTTP/2 support is disabled by
default.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| The Vinyl Cache Project | Vinyl Cache |
Affected:
9.0.0
Unaffected: 9.0.1 |
|
| The Vinyl Cache Project | Varnish Cache (pre split) |
Affected:
7.6.0 , ≤ 8.0.1
(semver)
Unaffected: 8.0.2 Affected: 6.0.14 , ≤ 6.0.17 (semver) Unaffected: 6.0.18 |
|
| Varnish Software | Varnish Cache by Varnish Software |
Affected:
9.0.0 , ≤ 9.0.2
(semver)
Unaffected: 9.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50052",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:27:03.836713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:27:33.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vinyl Cache",
"programFiles": [
"bin/vinyld/http2/cache_http2_hpack.c"
],
"repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache",
"vendor": "The Vinyl Cache Project",
"versions": [
{
"status": "affected",
"version": "9.0.0"
},
{
"status": "unaffected",
"version": "9.0.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Varnish Cache (pre split)",
"programFiles": [
"bin/varnishd/http2/cache_http2_hpack.c"
],
"repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache",
"vendor": "The Vinyl Cache Project",
"versions": [
{
"lessThanOrEqual": "8.0.1",
"status": "affected",
"version": "7.6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "8.0.2"
},
{
"lessThanOrEqual": "6.0.17",
"status": "affected",
"version": "6.0.14",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "6.0.18"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Varnish Cache by Varnish Software",
"programFiles": [
"bin/vinyld/http2/cache_http2_hpack.c"
],
"repo": "https://github.com/varnish/varnish",
"vendor": "Varnish Software",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "9.0.3"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ehttp2 enabled\u003c/div\u003e\u003cdiv\u003eexploitable URLs present (require request body)\u003c/div\u003e"
}
],
"value": "http2 enabled\n\nexploitable URLs present (require request body)"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync\nattack (request smuggling), which in turn can be used for cache poisoning,\nauthentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the\nfeature parameter to contain +http2. HTTP/2 support is disabled by\ndefault."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "AUTOMATIC",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:59:35.155Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://vinyl-cache.org/security/VSV00019.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eUpdate to fix version\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Update to fix version"
}
],
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eDisable HTTP/2\u003c/h3\u003e\u003cp\u003eThe vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evinyladm param.set feature -http2\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by removing \u003ccode\u003e-p feature=+http2\u003c/code\u003e from the \u003ccode\u003evinyld\u003c/code\u003e startup\nparameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the \u003ccode\u003eh2\u003c/code\u003e ALPN. For example with \u003ccode\u003ehaproxy\u003c/code\u003e, in the\n\u003ccode\u003elisten\u003c/code\u003e/\u003ccode\u003ebind\u003c/code\u003e configuration directive, \u003ccode\u003ealpn h2,http/1.1\u003c/code\u003e should be\nreplaced with \u003ccode\u003ealpn http/1.1\u003c/code\u003e.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\n\n\n\n * at runtime by issuing vinyladm param.set feature -http2\n\n\n\n * persistently by removing -p feature=+http2 from the vinyld startup\nparameters\n\n\n\n\n\n\nNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the h2 ALPN. For example with haproxy, in the\nlisten/bind configuration directive, alpn h2,http/1.1 should be\nreplaced with alpn http/1.1."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eIn VCL, add a vmod re2 header filter\u003c/h3\u003e\u003cp\u003eThis method requires \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e header filters (see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://vinyl-cache.org/tutorials/hdr_filter.html\"\u003etutorial\u003c/a\u003e for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\u003c/p\u003e\n\u003cp\u003eTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n new sane = re2.set(anchor=start, case_sensitive=false);\n # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n sane.add(\"[-!#$%\u0026amp;\u0027*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eTo the best of our knowledge, where \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e is already used with a\n\u003ccode\u003ehdr_filter\u003c/code\u003e in allow mode (second argument \u003ccode\u003etrue\u003c/code\u003e), protection is already\nsufficient unless the empty string is allowed.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In VCL, add a vmod re2 header filterThis method requires vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 .\n\n\n vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 header filters (see the tutorial https://vinyl-cache.org/tutorials/hdr_filter.html for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\n\n\nTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\n\n\n## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n new sane = re2.set(anchor=start, case_sensitive=false);\n # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n sane.add(\"[-!#$%\u0026\u0027*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nTo the best of our knowledge, where vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 is already used with a\nhdr_filter in allow mode (second argument true), protection is already\nsufficient unless the empty string is allowed."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch4\u003e\u0026gt;= 7.6.0 plain VCL mitigation\u003c/h4\u003e\u003cp\u003eFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\u003c/p\u003e\n\u003cp\u003eFor Vinyl Cache:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evinyladm param.set vcc_feature +allow_inline_c\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by adding \u003ccode\u003e-p vcc_feature=+allow_inline_c\u003c/code\u003e to the \u003ccode\u003evinyld\u003c/code\u003e\nstartup parameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFor Varnish Cache:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evarnishadm param.set vcc_feature +allow_inline_c\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by adding \u003ccode\u003e-p vcc_feature=+allow_inline_c\u003c/code\u003e to the \u003ccode\u003evarnishd\u003c/code\u003e\nstartup parameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n C{\n VRT_SetHdr(ctx, \u0026amp;VGC_HDR_REQ_content_2d_length, 0,\n TOSTRAND(VRT_GetHdr(ctx, \u0026amp;VGC_HDR_REQ_content_2d_length)));\n }C\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIn addition, care must be taken that \u003ccode\u003ebereq.http.Connection\u003c/code\u003e is not unset\nanywhere else in the custom VCL.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "\u003e= 7.6.0 plain VCL mitigationFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\n\n\nFor Vinyl Cache:\n\n\n\n * at runtime by issuing vinyladm param.set vcc_feature +allow_inline_c\n\n\n\n * persistently by adding -p vcc_feature=+allow_inline_c to the vinyld\nstartup parameters\n\n\n\n\n\n\nFor Varnish Cache:\n\n\n\n * at runtime by issuing varnishadm param.set vcc_feature +allow_inline_c\n\n\n\n * persistently by adding -p vcc_feature=+allow_inline_c to the varnishd\nstartup parameters\n\n\n\n\n\n\nBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n C{\n VRT_SetHdr(ctx, \u0026VGC_HDR_REQ_content_2d_length, 0,\n TOSTRAND(VRT_GetHdr(ctx, \u0026VGC_HDR_REQ_content_2d_length)));\n }C\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch4\u003e6.0 plain VCL mitigation\u003c/h4\u003e\u003cp\u003eFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIn addition, care must be taken that \u003ccode\u003ebereq.http.Connection\u003c/code\u003e is not unset\nanywhere else in the custom VCL.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-50052",
"datePublished": "2026-06-03T03:56:01.974Z",
"dateReserved": "2026-06-03T03:56:01.075Z",
"dateUpdated": "2026-06-03T13:27:33.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}