VSV00018 Varnish Cache absolute form parsing deficiency

2026-03-16

CVE: pending

A deficiency in HTTP/1.1 request parsing can potentially be used for cache poisoning or authentication bypass, if the req.url VCL variable gets passed unchecked to a backend which accepts requests with absolute form URIs.

The potential attack surface of this issue is limited to “root” URLs with a path of / as in https://example.com/, but not https://example.com/whatever.

We recommend to upgrade to a version which is not affected or mitigate the issue in VCL, as detailed below.

Versions affected

• All Varnish Cache Releases up to and including 8.0.0

• Varnish Cache 6.0 LTS series up to and including 6.0.16.

• Varnish Enterprise by Varnish Software 6.0.x up to and including 6.0.16r11.

Versions not affected

• Vinyl Cache 9.0 (released 2026-03-16)

• Vinyl Cache main branch at commit f27e9550aa30ad18e5196371d583e7131745088e or later

• Varnish Cache 8.0.1 (released 2026-03-16)

• Varnish Cache 6.0 LTS version 6.0.17 (released 2026-03-16)

• Varnish Enterprise by Varnish Software version 6.0.16r12 or later.

Mitigation

If upgrading is not possible, the problem can be mitigated by adding the following VCL snippet at the top of the VCL:

sub vsv18 {
  if (req.url == "*" && req.method == "OPTIONS") {
    return;
  }
  # NB: we do not allow connect by default (see vcl_req_method)
  if (req.url !~ "^/" && req.method != "CONNECT") {
    return (synth(400));
  }
}

sub vcl_recv {
  call vsv18;
}

This code has now also been added to the built-in VCL as an additional forward-looking precaution.

Acknowledgements and credits

We thank Tom Kinnaird of Claranet Limited for having reported the issue.

For the Vinyl Cache project, the issue has been handled and fixed by Nils Goroll of UPLEX.

Dridi Boukelmoune and Walid Boudebouda of Varnish Software have provided feedback, pointed out related aspects to consider and prepared backports to Varnish Cache.