关键信息 漏洞名称 VSV00017 Varnish HTTP/2 Made You Reset Attack CVE编号 CVE-2025-8671 发布日期 2025-08-13 影响版本 Varnish Cache: 5.x, 6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1 Varnish Cache 6.0 LTS series up to and including 6.0.14 Varnish Enterprise by Varnish Software 6.0.x up to and including 6.0.14r4 不受影响版本 Varnish Cache 7.6.4 (released 2025-08-13) Varnish Cache 7.7.2 (released 2025-08-13) Varnish Cache 6.0 LTS version 6.0.15 (released 2025-08-13) GitHub Varnish Cache master branch at commit 5202a6e329651cd0121e9eac78e60b66351a50bf Varnish Enterprise by Varnish Software version 6.0.14r5 缓解措施 升级Varnish到不受影响的版本 如果无法升级,可以通过禁用HTTP/2支持来缓解问题: 移除TLS终止器中ALPN协议列表中的 监控缓解措施 使用与VSV00013相同的监控策略 致谢 报告者:Gal Bar Nahum, Anat Bremler-Barr, Yaniv Harel of Tel Aviv University