CVE-2026-50052

Summary

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

Affected Software

VendorProductVersion RangeStatus
The Vinyl Cache ProjectVinyl Cache9.0.0affected
The Vinyl Cache ProjectVinyl Cache9.0.1unaffected
The Vinyl Cache ProjectVarnish Cache (pre split)7.6.0 <= 8.0.1affected
The Vinyl Cache ProjectVarnish Cache (pre split)8.0.2unaffected
The Vinyl Cache ProjectVarnish Cache (pre split)6.0.14 <= 6.0.17affected
The Vinyl Cache ProjectVarnish Cache (pre split)6.0.18unaffected
Varnish SoftwareVarnish Cache by Varnish Software9.0.0 <= 9.0.2affected
Varnish SoftwareVarnish Cache by Varnish Software9.0.3unaffected

Weaknesses

  • CWE-444: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Workarounds

Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it is, it can be disabled

  • at runtime by issuing vinyladm param.set feature -http2

  • persistently by removing -p feature=+http2 from the vinyld startup parameters

Note that HTTP/2 typically requires a TLS offloader, which must be changed to no longer send the h2 ALPN. For example with haproxy, in the listen/bind configuration directive, alpn h2,http/1.1 should be replaced with alpn http/1.1. In VCL, add a vmod re2 header filterThis method requires vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 .

vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 header filters (see the tutorial https://vinyl-cache.org/tutorials/hdr_filter.html for more information) can be used to remove injected invalid header lines, which are the vehicle required for launching desync attacks exploiting this vulnerability.

To the best of our knowledge, the following VCL snippet at the top of the custom VCL adds protection by removing invalid headers:

BEGIN vsv19 mitigation

import re2; sub vcl_init { new sane = re2.set(anchor=start, case_sensitive=false); # https://httpwg.org/specs/rfc9110.html#rule.token.separators # SLIGHTLY more relaxed, because it allows trailing SP / HTAB sane.add("[-!#$%&'*+.^_`|~a-z0-9]+:[\s\x21-\x7E\x80-\xff]+$"); } sub vcl_recv { sane.hdr_filter(req, true); }

END vsv19 mitigation

To the best of our knowledge, where vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 is already used with a hdr_filter in allow mode (second argument true), protection is already sufficient unless the empty string is allowed. >= 7.6.0 plain VCL mitigationFor versions 7.6.0 and higher, this method requires no additional VMODs, but needs inline-C to be enabled.

For Vinyl Cache:

  • at runtime by issuing vinyladm param.set vcc_feature +allow_inline_c

  • persistently by adding -p vcc_feature=+allow_inline_c to the vinyld startup parameters

For Varnish Cache:

  • at runtime by issuing varnishadm param.set vcc_feature +allow_inline_c

  • persistently by adding -p vcc_feature=+allow_inline_c to the varnishd startup parameters

Besides enabling inline-C, the following snippet needs to be added at the top of the custom VCL:

BEGIN vsv19 mitigation

sub recv_vsv19 { unset req.http.vsv19; if (req.proto != "HTTP/2.0" || ! req.http.content-length) { return; } set req.http.vsv19 = "1"; C{ VRT_SetHdr(ctx, &VGC_HDR_REQ_content_2d_length, 0, TOSTRAND(VRT_GetHdr(ctx, &VGC_HDR_REQ_content_2d_length))); }C } sub vcl_recv { call recv_vsv19; } sub vcl_backend_fetch { if (bereq.http.vsv19) { set bereq.http.Connection = "close"; } }

END vsv19 mitigation

In addition, care must be taken that bereq.http.Connection is not unset anywhere else in the custom VCL. 6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes required. The following snippet needs to be added at the top of the custom VCL:

BEGIN vsv19 mitigation

sub recv_vsv19 { unset req.http.vsv19; if (req.proto != "HTTP/2.0" || ! req.http.content-length) { return; } set req.http.vsv19 = "1"; set req.http.content-length = req.http.content-length; } sub vcl_recv { call recv_vsv19; } sub vcl_backend_fetch { if (bereq.http.vsv19) { set bereq.http.Connection = "close"; } }

END vsv19 mitigation

In addition, care must be taken that bereq.http.Connection is not unset anywhere else in the custom VCL.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References