FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Vinyl/Varnish -- HTTP/2 parsing deficiency

Affected packages
vinyl09 < 9.0.1
varnish7 < 7.7.3_1

Details

VuXML ID f0f4bb64-52c6-11f1-a1c0-0050569f0b83
Discovery 2026-05-18
Entry 2026-05-18

Vinyl Development Team reports:

A deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass or possibly even information disclosure and manipulation.

[source]

References

URL https://vinyl-cache.org/security/VSV00019.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.