cvedb.io
CVE-2022-45060
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2022-11-09T06:15:09.830 · Last modified 2026-06-17T05:09:16.077

Summary

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Affected products

varnish-software — varnish_cache

Does this affect you?

Add your gear to cvedb and we'll alert you only when varnish-software ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.