CVE-2025-49763

CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

7.5HIGH

EPSS

0.6%

top 29.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server

Timeline

PublishedJun 19

Description

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/traffic_server9.0.0 — 9.2.11+1

▶CVEListV5apache_software_foundation/apache_traffic_server10.0.0 — 10.0.5+1

▶Debiantrafficserver< 9.2.5+ds-0+deb12u3

🔴Vulnerability Details

GHSA

GHSA-jrg5-jw7r-rxg9: ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted↗2025-06-19

▶

CVEList

Apache Traffic Server: Remote DoS via memory exhaustion in ESI Plugin↗2025-06-19

▶

OSV

CVE-2025-49763: ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted↗2025-06-19

▶

📋Vendor Advisories

Red Hat

trafficserver: Traffic Server ESI Inclusion Depth Vulnerability↗2025-06-19

▶

Debian

CVE-2025-49763: trafficserver - ESI plugin does not have the limit for maximum inclusion depth, and that allows ...↗2025

▶