From nils.goroll at uplex.de Mon May 18 13:03:12 2026 From: nils.goroll at uplex.de (Nils Goroll) Date: Mon, 18 May 2026 15:03:12 +0200 Subject: New security advisory: VSV00019 HTTP/2 parsing deficiency Message-ID: <95091036-286c-42da-9cf2-9433e8fe1390@uplex.de> https://vinyl-cache.org/security/VSV00019.html ============================================================== VSV00019 Vinyl Cache / Varnish Cache HTTP/2 parsing deficiency ============================================================== .. rubric:: 2026-05-18 :class: date .. CVE pending A deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the ``feature`` parameter to contain ``+http2``. HTTP/2 support is disabled by default. We recommend to upgrade to a version which is not affected, to disable HTTP/2 support or to mitigate the issue in VCL, as detailed below. ----------------- Versions affected ----------------- * Vinyl Cache 9.0.0 * Varnish Cache by Varnish Software up to and including 9.0.2 * All Varnish Cache Releases from 7.6.0 up to and including 8.0.1 * Varnish Cache 6.0 LTS series from 6.0.14 up to and including 6.0.17. --------------------- Versions not affected --------------------- * Vinyl Cache 9.0.1 (released 2026-05-18) * Vinyl Cache main branch at commit XXX or later * Varnish Cache by Varnish Software 9.0.3 (released 2026-05-18) * Varnish Cache 8.0.2 (released 2026-05-18) * Varnish Cache 6.0 LTS version 6.0.18 (2026-05-18) * Varnish Enterprise by Varnish Software ------------------ Mitigation Options ------------------ Several options to mitigate this issue exist. The safest is disabling HTTP/2. Disable HTTP/2 -------------- The vulnerability can only be exploited if HTTP/2 support is enabled. Where it is, it can be disabled * at runtime by issuing ``vinyladm param.set feature -http2`` * persistently by removing ``-p feature=+http2`` from the ``vinyld`` startup parameters Note that HTTP/2 typically requires a TLS offloader, which must be changed to no longer send the ``h2`` ALPN. For example with ``haproxy``, in the ``listen``/``bind`` configuration directive, ``alpn h2,http/1.1`` should be replaced with ``alpn http/1.1``. In VCL, add a vmod re2 header filter ------------------------------------ .. _vmod_re2: https://gitlab.com/uplex/varnish/libvmod-re2 .. _tutorial: https://vinyl-cache.org/tutorials/hdr_filter.html This method requires `vmod_re2`_. `vmod_re2`_ header filters (see the `tutorial`_ for more information) can be used to remove injected invalid header lines, which are the vehicle required for launching desync attacks exploiting this vulnerability. To the best of our knowledge, the following VCL snippet at the top of the custom VCL adds protection by removing invalid headers:: ## BEGIN vsv19 mitigation # import re2; sub vcl_init { new sane = re2.set(anchor=start, case_sensitive=false); # https://httpwg.org/specs/rfc9110.html#rule.token.separators # SLIGHTLY more relaxed, because it allows trailing SP / HTAB sane.add("[-!#$%&'*+.^_`|~a-z0-9]+:[\s\x21-\x7E\x80-\xff]+$"); } sub vcl_recv { sane.hdr_filter(req, true); } # ## END vsv19 mitigation To the best of our knowledge, where `vmod_re2`_ is already used with a ``hdr_filter`` in allow mode (second argument ``true``), protection is already sufficient unless the empty string is allowed. In VCL, close desync -------------------- This method requires no additional VMODs, but needs inline-C to be enabled: * at runtime by issuing ``vinyladm param.set vcc_feature +allow_inline_c`` * persistently by adding ``-p vcc_feature=+allow_inline_c`` to the ``vinyld`` startup parameters This method works by combining two techniques: * rendering a smuggled request invalid * avoiding backend connection reuse. Besides enabling inline-C, the following snippet needs to be added at the top of the custom VCL:: ## BEGIN vsv19 mitigation # sub recv_vsv19 { unset req.http.vsv19; if (req.proto != "HTTP/2.0") { return; } set req.http.vsv19 = "1"; if (req.http.content-length) {C{ VRT_SetHdr(ctx, &VGC_HDR_REQ_content_2d_length, 0, TOSTRAND(VRT_GetHdr(ctx, &VGC_HDR_REQ_content_2d_length))); }C} } sub vcl_recv { call recv_vsv19; } sub vcl_backend_fetch { if (bereq.http.vsv19) { set bereq.http.Connection = "close"; } } # ## END vsv19 mitigation In addition, care must be taken that ``bereq.http.Connection`` is not unset anywhere else in the custom VCL. Acknowledgements and credits ---------------------------- We thank Lam Jun Rong of Calif.io, who used Anthropic Research's tool "Claude", for reporting this issue. For the Vinyl Cache project, the issue has been handled by Nils Goroll of UPLEX. The merged fix is a slight variation of the proposed fix by Lam Jun Rong, which had already been found independently by Dridi Boukelmoune. -- Nils Goroll (he/him) ** * * UPLEX - Nils Goroll Systemoptimierung Scheffelstra?e 32 22301 Hamburg tel +49 40 28805731 mob +49 170 2723133 fax +49 40 42949753 xmpp://slink at jabber.int.uplex.de/ http://uplex.de/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x1DCD8F57A3868BD7.asc Type: application/pgp-keys Size: 4845 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From walid.boudebouda at varnish-software.com Mon May 18 14:24:04 2026 From: walid.boudebouda at varnish-software.com (Walid Boudebouda) Date: Mon, 18 May 2026 16:24:04 +0200 Subject: Vinyl/Varnish security releases announcement Message-ID: Hi, Vinyl Cache 9.0.1, Varnish Cache 8.0.2 and 6.0.18 have been released. https://vinyl-cache.org/releases/rel9.0.1.html#rel9-0-1 https://vinyl-cache.org/releases/rel8.0.2.html#rel8-0-2 https://vinyl-cache.org/releases/rel6.0.18.html#rel6-0-18 These security releases address the VSV00019 vulnerability. We recommend upgrading to one of these versions as soon as possible. Regards, Walid Boudebouda -------------- next part -------------- An HTML attachment was scrubbed... URL: