CVE-2026-50052
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green
Summary
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| The Vinyl Cache Project | Vinyl Cache | 9.0.0 | affected |
| The Vinyl Cache Project | Vinyl Cache | 9.0.1 | unaffected |
| The Vinyl Cache Project | Varnish Cache (pre split) | 7.6.0 <= 8.0.1 | affected |
| The Vinyl Cache Project | Varnish Cache (pre split) | 8.0.2 | unaffected |
| The Vinyl Cache Project | Varnish Cache (pre split) | 6.0.14 <= 6.0.17 | affected |
| The Vinyl Cache Project | Varnish Cache (pre split) | 6.0.18 | unaffected |
| Varnish Software | Varnish Cache by Varnish Software | 9.0.0 <= 9.0.2 | affected |
| Varnish Software | Varnish Cache by Varnish Software | 9.0.3 | unaffected |
Weaknesses
- CWE-444: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Workarounds
Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it is, it can be disabled
at runtime by issuing vinyladm param.set feature -http2
persistently by removing -p feature=+http2 from the vinyld startup parameters
Note that HTTP/2 typically requires a TLS offloader, which must be changed to no longer send the h2 ALPN. For example with haproxy, in the listen/bind configuration directive, alpn h2,http/1.1 should be replaced with alpn http/1.1. In VCL, add a vmod re2 header filterThis method requires vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 .
vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 header filters (see the tutorial https://vinyl-cache.org/tutorials/hdr_filter.html for more information) can be used to remove injected invalid header lines, which are the vehicle required for launching desync attacks exploiting this vulnerability.
To the best of our knowledge, the following VCL snippet at the top of the custom VCL adds protection by removing invalid headers:
BEGIN vsv19 mitigation
import re2; sub vcl_init { new sane = re2.set(anchor=start, case_sensitive=false); # https://httpwg.org/specs/rfc9110.html#rule.token.separators # SLIGHTLY more relaxed, because it allows trailing SP / HTAB sane.add("[-!#$%&'*+.^_`|~a-z0-9]+:[\s\x21-\x7E\x80-\xff]+$"); } sub vcl_recv { sane.hdr_filter(req, true); }
END vsv19 mitigation
To the best of our knowledge, where vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 is already used with a hdr_filter in allow mode (second argument true), protection is already sufficient unless the empty string is allowed. >= 7.6.0 plain VCL mitigationFor versions 7.6.0 and higher, this method requires no additional VMODs, but needs inline-C to be enabled.
For Vinyl Cache:
at runtime by issuing vinyladm param.set vcc_feature +allow_inline_c
persistently by adding -p vcc_feature=+allow_inline_c to the vinyld startup parameters
For Varnish Cache:
at runtime by issuing varnishadm param.set vcc_feature +allow_inline_c
persistently by adding -p vcc_feature=+allow_inline_c to the varnishd startup parameters
Besides enabling inline-C, the following snippet needs to be added at the top of the custom VCL:
BEGIN vsv19 mitigation
sub recv_vsv19 { unset req.http.vsv19; if (req.proto != "HTTP/2.0" || ! req.http.content-length) { return; } set req.http.vsv19 = "1"; C{ VRT_SetHdr(ctx, &VGC_HDR_REQ_content_2d_length, 0, TOSTRAND(VRT_GetHdr(ctx, &VGC_HDR_REQ_content_2d_length))); }C } sub vcl_recv { call recv_vsv19; } sub vcl_backend_fetch { if (bereq.http.vsv19) { set bereq.http.Connection = "close"; } }
END vsv19 mitigation
In addition, care must be taken that bereq.http.Connection is not unset anywhere else in the custom VCL. 6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes required. The following snippet needs to be added at the top of the custom VCL:
BEGIN vsv19 mitigation
sub recv_vsv19 { unset req.http.vsv19; if (req.proto != "HTTP/2.0" || ! req.http.content-length) { return; } set req.http.vsv19 = "1"; set req.http.content-length = req.http.content-length; } sub vcl_recv { call recv_vsv19; } sub vcl_backend_fetch { if (bereq.http.vsv19) { set bereq.http.Connection = "close"; } }
END vsv19 mitigation
In addition, care must be taken that bereq.http.Connection is not unset anywhere else in the custom VCL.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.