Critical Apache Traffic Server CVEs Expose DoS Vulnerabilities
Key Takeaways The Apache Software Foundation has released urgent security updates for its Apache Traffic Server (ATS) to address two critical vulnerabilities. These flaws, identified as...
Key Takeaways
- The Apache Software Foundation has released urgent security updates for its Apache Traffic Server (ATS) to address two critical vulnerabilities.
- These flaws, identified as CVE-2025-58136 and CVE-2025-65114, primarily affect how ATS processes HTTP requests with message bodies.
- Successful exploitation could lead to Denial-of-Service (DoS) attacks or sophisticated HTTP request smuggling, impacting ATS versions 9.0.0 through 9.2.12 and 10.0.0 through 10.1.1.
- Patches are available in ATS versions 9.1.13+ and 10.1.2+, with a partial workaround for one DoS vulnerability.
The Apache Software Foundation has issued critical security advisories and released emergency updates for its widely used Apache Traffic Server (ATS). These patches address two severe vulnerabilities that, if left unmitigated, could expose enterprise networks to significant disruption through Denial-of-Service (DoS) attacks or advanced HTTP request smuggling techniques.
Table Of Content
Apache Traffic Server functions as a high-performance web proxy cache, crucial for enhancing network efficiency and managing substantial volumes of web traffic across diverse enterprise environments. The recently discovered security flaws stem from specific weaknesses in how the server processes HTTP requests, particularly those containing message bodies.
Apache Traffic Server Vulnerabilities Detailed
CVE-2025-58136: HTTP POST Request DoS
The more immediate and disruptive of the two vulnerabilities is tracked as CVE-2025-58136. Discovered by security researcher Masakazu Kitajo, this flaw allows a seemingly innocuous HTTP POST request to trigger a complete crash of the entire ATS application. Given that POST requests are a standard method for web servers to receive data, this vulnerability presents a highly accessible attack vector for remote threat actors.
Exploitation of CVE-2025-58136 results in an instant Denial-of-Service condition, rendering the proxy server inoperable and effectively blocking legitimate users from accessing services reliant on the affected infrastructure.
CVE-2025-65114: Malformed Chunked Message Body HTTP Request Smuggling
The second vulnerability, identified as CVE-2025-65114, was uncovered by security researcher Katsutoshi Ikenoya. This flaw concerns the Apache Traffic Server’s inadequate handling of malformed chunked message bodies during data transmission. Attackers can leverage this improper processing to execute HTTP request smuggling attacks.
HTTP request smuggling is an advanced attack technique that enables malicious actors to manipulate the sequence and processing of HTTP requests. Such manipulation can bypass security controls, leading to consequences like web cache poisoning or unauthorized access to sensitive data on backend servers.
Affected Versions and Remediation
These vulnerabilities impact multiple active branches of the Apache Traffic Server. According to the official security advisory from the Apache Software Foundation, the affected software versions include ATS 9.0.0 through 9.2.12, as well as versions 10.0.0 through 10.1.1. Administrators overseeing these specific installations must prioritize immediate action to secure their network perimeters against potential exploitation.
The Apache Software Foundation strongly advises all administrators to upgrade their ATS installations to the latest secure releases. For those operating on the 9.x branch, an update to version 9.1.13 or later is recommended. Organizations utilizing the 10.x branch must upgrade to version 10.1.2 or newer to fully mitigate both threats.
For organizations unable to apply the full software updates immediately, a temporary workaround exists specifically for the DoS vulnerability, CVE-2025-58136. Administrators can prevent the server crash by setting the proxy.config.http.request_buffer_enabled parameter to 0. Notably, this is already the default value in the system configuration, meaning many servers might inherently be protected from this particular crash. However, it is crucial to understand that no workaround is available for the request smuggling vulnerability (CVE-2025-65114). Therefore, a complete software upgrade remains the only definitive strategy to secure the server environment against both identified threats.
What You Should Do
- Immediately identify all Apache Traffic Server instances within your environment.
- Verify if your ATS versions are within the affected ranges: 9.0.0-9.2.12 or 10.0.0-10.1.1.
- Plan and execute an upgrade to ATS version 9.1.13+ or 10.1.2+ as soon as possible.
- If immediate upgrade is not feasible, ensure the
proxy.config.http.request_buffer_enabledparameter is set to0for partial protection against CVE-2025-58136. - Monitor Apache’s official security advisories for any further updates or recommendations.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.