Security, bugs & vulnerabilities

  • Rev. 2021-08-17 phk

List of all Varnish CVEs




5.x, 6.x, 7.x


VSV00014 Varnish HTTP/2 Broke Window Attack

5.x, 6.x, 7.x


VSV00013 Varnish HTTP/2 Rapid Reset Attack



VSV00012 Base64 decoding vulnerability in vmod-digest

6.x, 7.x


VSV00011 Varnish HTTP/2 Request Forgery Vulnerability

7.0, 7.1, 7.2


VSV00010 Varnish Request Smuggling Vulnerability

7.0, 7.1


VSV00009 Varnish Denial of Service Vulnerability

< 7.0.2


VSV00008 Varnish HTTP/1 Request Smuggling Vulnerability

6.0, 6.5, 6.6


VSV00007 Varnish HTTP/2 Request Smuggling Attack



VSV00006 varnish-modules Denial of Service

6.0, 6.2, 6.3


VSV00005 Varnish HTTP Proxy Protocol V2 Denial of Service

6.0, 6.2, 6.3


VSV00004 Workspace information leak

6.0, 6.2


VSV00003 DoS attack vector

4.1, 5.2


VSV00002 Data leak - ‘-sfile’ Stevedore transient objects

4.x, 5.x


VSV00001 DoS vulnerability

< 3.0.5



<= 3.0.3


Local information leak



Trophy hunting

< 2.1.0


Trophy hunting

We take security and quality very seriously in the Varnish project, and we are more than a little proud that it took eleven years before we had a major security issue.

I have found a security hole

Send email to Poul-Henning, Nils and Martin: Email addresses and GPG keys

I want to hear about security vulnerabilities

Subscribe to the Varnish Announce mailing list

Vulnerabilities are and will also be listed further at the top of this page when they are new and further down when they get older.

I’m a VIVU goddammit!

Varnish users come in all sizes and importance, some are private homepages, some are global CDNs, national governments or major news outlets.

We want to provide some way to for Varnish users to get early warning about future security incidents, but we do not want to pass judgement on who are “Very Important Varnish Users” and much less to we want to try to keep a list of up to date contact information for a list that long.

We also don’t want to make this information free, because if we did, every criminal and his brother would sign up, to get a head start against the Varnish users.

The rule going forward is therefore that if you contributed at least EUR240 towards a Varnish Moral License in the 12 months previous to the disclosure-date, you will get early warning about security issues.

On a case-by-case basis and purely at our discretion, we will also extend this privilege to people who have contributed significantly to the project in other ways.

Security Politics

To be totally honest, this is section is quite speculative, we have very little experience in this area, but this is how I expect we would react to a major security issue:

  • Assign a VSV number

  • Try to get a CVE assigned.

  • Create a VCL workaround, if at all possible.

  • Fix the problem.

  • If it makes sense (ie: no VCL workaround), roll a point-release.

  • Announce on and homepage.

  • Kick ourselves, for months, for missing the bug.

Define “Major”

As you will notice if you peruse the CVEs listed above, we are not kindly inclined to trophy-hunting and shrill alarmism.

If security advisories are to have any utility, they should be both rare and relevant.

In particularly we do not consider it a security vulnerability that somebody has a different taste in program architecture, or that aliens might be able to DoS varnish servers if they have invented quantum computers we cannot even comprehend.

On the other hand, if we find anything, on our own or thanks to external contributors, which imperil Varnish users, we will not hesitate to issue a CVE to get peoples attention.

11 years, really?

Yes, indeed. Luck probably has a lot to do with it, but luck tends to favour the well-prepared, and we have had a big focus on quality since the very start.

Here is a piece I wrote about it last year