CVE-2017-12425

Name: CVE-2017-12425
Creator: NVD / NIST
Published: 2017-08-04T09:29:00.237+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.42%

Last modified Jun 17, 2026

CVE-2017-12425 is a vulnerability of currently unknown severity. An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. EPSS estimates a 2.42% chance of exploitation in the next 30 days.

Description

An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases.

Metrics

EPSS Probability

2.42%

82.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-190

Affected Software

Vendor	Product	Versions	Update
Varnish-Cache	Varnish	4.0.2	Rc-1
Varnish-Cache	Varnish	4.0.3	Rc-1
Varnish Cache Project	Varnish Cache	4.0.1	—
Varnish Cache Project	Varnish Cache	4.0.2	—
Varnish Cache Project	Varnish Cache	4.0.3	—
Varnish Cache Project	Varnish Cache	4.0.4	—
Varnish-Cache	Varnish	4.1.0	—
Varnish-Software	Varnish Cache	4.1.0	Beta1
Varnish-Software	Varnish Cache	4.1.1	—
Varnish-Software	Varnish Cache	4.1.2	—
Varnish-Software	Varnish Cache	4.1.3	—
Varnish-Software	Varnish Cache	4.1.4	—
Varnish-Software	Varnish Cache	4.1.5	—
Varnish-Software	Varnish Cache	4.1.6	—
Varnish-Software	Varnish Cache	4.1.7	—
Varnish Cache Project	Varnish Cache	5.0.0	—
Varnish Cache Project	Varnish Cache	5.1.0	—
Varnish Cache Project	Varnish Cache	5.1.1	—
Varnish Cache Project	Varnish Cache	5.1.2	—

References

http://www.debian.org/security/2017/dsa-3924
https://bugzilla.redhat.com/show_bug.cgi?id=1477222Issue Tracking, Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1051917Issue Tracking, Third Party Advisory
https://github.com/varnishcache/varnish-cache/issues/2379Third Party Advisory
https://lists.debian.org/debian-security-announce/2017/msg00186.htmlMailing List, Third Party Advisory
https://www.varnish-cache.org/security/VSV00001.html#vsv00001Vendor Advisory
http://www.debian.org/security/2017/dsa-3924
https://bugzilla.redhat.com/show_bug.cgi?id=1477222Issue Tracking, Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1051917Issue Tracking, Third Party Advisory
https://github.com/varnishcache/varnish-cache/issues/2379Third Party Advisory
https://lists.debian.org/debian-security-announce/2017/msg00186.htmlMailing List, Third Party Advisory
https://www.varnish-cache.org/security/VSV00001.html#vsv00001Vendor Advisory

Timeline

Published: Aug 4, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-12425?

How severe is CVE-2017-12425?

Severity scoring for CVE-2017-12425 is pending analysis. The EPSS model estimates a 2.42% probability of exploitation in the next 30 days.

How do I fix CVE-2017-12425?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-12425?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST