Apache Software Foundation Apache Traffic Server vulnerabilities

CVE-2025-65114 [HIGH] CWE-444 CVE-2025-65114: Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affec Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

CVE-2025-58136 [HIGH] CWE-670 CVE-2025-58136: A bug in POST request handling causes a crash under a certain condition. This issue affects Apache A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue. A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the defau

CVE-2025-31698 [HIGH] CWE-284 CVE-2025-31698: ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PRO ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 t

CVE-2025-49763 [HIGH] CWE-400 CVE-2025-49763: ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory con ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to

CVE-2024-53868 [HIGH] CWE-444 CVE-2024-53868: Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue a Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.

CVE-2024-56196 [MEDIUM] CWE-284 CVE-2024-56196: Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic S Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 10.0.4, which fixes the issue.

CVE-2024-56202 [MEDIUM] CWE-440 CVE-2024-56202: Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traff Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.

CVE-2024-38311 [MEDIUM] CWE-20 CVE-2024-38311: Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.

CVE-2024-56195 [MEDIUM] CWE-284 CVE-2024-56195: Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic S Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.

CVE-2024-50306 [CRITICAL] CWE-252 CVE-2024-50306: Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.

CVE-2024-38479 [HIGH] CWE-20 CVE-2024-38479: Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.

CVE-2024-50305 [HIGH] CWE-20 CVE-2024-50305: Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affe Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.

CVE-2024-35161 [HIGH] CWE-444 CVE-2024-35161: Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_

CVE-2023-38522 [HIGH] CWE-444 CVE-2023-38522: Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malf Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users a

CVE-2024-35296 [HIGH] CWE-20 CVE-2024-35296: Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwar Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

CVE-2024-31309 [HIGH] CWE-20 CVE-2024-31309: HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the serv HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memor

CVE-2023-41752 [HIGH] CWE-200 CVE-2023-41752: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.Th Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.

CVE-2023-39456 [HIGH] CWE-20 CVE-2023-39456: Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This i Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue.

CVE-2023-33934 [CRITICAL] CWE-444 CVE-2023-33934: Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This iss Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.

CVE-2022-47185 [HIGH] CWE-20 CVE-2022-47185: Improper input validation vulnerability on the range header in Apache Software Foundation Apache Tra Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.