CVE-2025-31698

CWE-284 — Improper Access Control6 documents6 sources

Severity

7.5HIGH

EPSS

0.2%

top 55.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server

Timeline

PublishedJun 19

Description

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/traffic_server9.0.0 — 9.2.11+1

▶CVEListV5apache_software_foundation/apache_traffic_server10.0.0 — 10.0.6+1

▶Debiantrafficserver< 9.2.5+ds-0+deb12u3

🔴Vulnerability Details

GHSA

GHSA-v2wx-jg5q-pj8q: ACL configured in ip_allow↗2025-06-19

▶

CVEList

Apache Traffic Server: Client IP address from PROXY protocol is not used for ACL↗2025-06-19

▶

OSV

CVE-2025-31698: ACL configured in ip_allow↗2025-06-19

▶

📋Vendor Advisories

Red Hat

trafficserver: Apache Traffic Server PROXY Protocol ACL Bypass↗2025-06-19

▶

Debian

CVE-2025-31698: trafficserver - ACL configured in ip_allow.config or remap.config does not use IP addresses that...↗2025

▶