CVE-2025-30347
Published: 21 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-30347 is an out-of-bounds read vulnerability (CWE-125) affecting Varnish Enterprise versions prior to 6.0.13r13. It occurs in the handling of range requests on ephemeral MSE4 stevedore objects, enabling remote attackers to obtain sensitive information. The vulnerability was published on 2025-03-21 and has a CVSS v3.1 base score of 4.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N), rated as medium severity due to its low confidentiality impact and high attack complexity.
Remote attackers without privileges can exploit this over the network by crafting specific range requests targeting the affected stevedore objects. Successful exploitation allows limited disclosure of sensitive information, with a changed scope that may affect dependent components, but no integrity or availability impacts are possible.
The Varnish Software security advisory at https://docs.varnish-software.com/security/VEV00001/ provides details on the issue, and upgrading to Varnish Enterprise 6.0.13r13 or later mitigates the vulnerability by addressing the out-of-bounds read.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote out-of-bounds read in a public-facing Varnish Enterprise cache server (AV:N) that directly enables exploitation of public-facing applications (T1190) to obtain sensitive information from local system memory or cached stevedore objects (T1005).