CVE-2025-30347

Medium

Published: 21 March 2025

Published

21 March 2025

Modified

24 March 2025

KEV Added

—

Patch

—

CVSS Score 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

EPSS Score 0.0035 57.6th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30347 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Varnish-Software Varnish Enterprise. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds read vulnerability by requiring timely patching of Varnish Enterprise to version 6.0.13r13 or later as specified in the vendor advisory.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables detection of vulnerable Varnish Enterprise instances through regular vulnerability scanning that identifies this specific CVE.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms to restrict unauthorized reads, mitigating information disclosure from the out-of-bounds access in MSE4 stevedore objects.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The CVE describes a remote out-of-bounds read in a public-facing Varnish Enterprise cache server (AV:N) that directly enables exploitation of public-facing applications (T1190) to obtain sensitive information from local system memory or cached stevedore objects (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-bounds read for range requests on ephemeral MSE4 stevedore objects.

Deeper analysisAI

CVE-2025-30347 is an out-of-bounds read vulnerability (CWE-125) affecting Varnish Enterprise versions prior to 6.0.13r13. It occurs in the handling of range requests on ephemeral MSE4 stevedore objects, enabling remote attackers to obtain sensitive information. The vulnerability was published on 2025-03-21 and has a CVSS v3.1 base score of 4.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N), rated as medium severity due to its low confidentiality impact and high attack complexity.

Remote attackers without privileges can exploit this over the network by crafting specific range requests targeting the affected stevedore objects. Successful exploitation allows limited disclosure of sensitive information, with a changed scope that may affect dependent components, but no integrity or availability impacts are possible.

The Varnish Software security advisory at https://docs.varnish-software.com/security/VEV00001/ provides details on the issue, and upgrading to Varnish Enterprise 6.0.13r13 or later mitigates the vulnerability by addressing the out-of-bounds read.