{"id":"CVE-2025-47905","details":"Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries.","aliases":["BIT-varnish-2025-47905"],"modified":"2026-04-10T05:27:50.189237Z","published":"2025-05-13T22:15:24Z","related":["ALSA-2025:8336","ALSA-2025:8337","ALSA-2025:8550"],"references":[{"type":"WEB","url":"https://varnish-cache.org/security/VSV00016.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/05/15/2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00040.html"}],"schema_version":"1.7.5"}