Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/CyberSecurity News/Critical Apache Traffic Server CVEs Expose DoS Vulnerabilities
CyberSecurity News

Critical Apache Traffic Server CVEs Expose DoS Vulnerabilities

Key Takeaways The Apache Software Foundation has released urgent security updates for its Apache Traffic Server (ATS) to address two critical vulnerabilities. These flaws, identified as...

David kimber
David kimber
April 6, 2026 3 Min Read
30 0

Key Takeaways

  • The Apache Software Foundation has released urgent security updates for its Apache Traffic Server (ATS) to address two critical vulnerabilities.
  • These flaws, identified as CVE-2025-58136 and CVE-2025-65114, primarily affect how ATS processes HTTP requests with message bodies.
  • Successful exploitation could lead to Denial-of-Service (DoS) attacks or sophisticated HTTP request smuggling, impacting ATS versions 9.0.0 through 9.2.12 and 10.0.0 through 10.1.1.
  • Patches are available in ATS versions 9.1.13+ and 10.1.2+, with a partial workaround for one DoS vulnerability.

The Apache Software Foundation has issued critical security advisories and released emergency updates for its widely used Apache Traffic Server (ATS). These patches address two severe vulnerabilities that, if left unmitigated, could expose enterprise networks to significant disruption through Denial-of-Service (DoS) attacks or advanced HTTP request smuggling techniques.

Table Of Content

  • Key Takeaways
  • Apache Traffic Server Vulnerabilities Detailed
  • CVE-2025-58136: HTTP POST Request DoS
  • CVE-2025-65114: Malformed Chunked Message Body HTTP Request Smuggling
  • Affected Versions and Remediation
  • What You Should Do

Apache Traffic Server functions as a high-performance web proxy cache, crucial for enhancing network efficiency and managing substantial volumes of web traffic across diverse enterprise environments. The recently discovered security flaws stem from specific weaknesses in how the server processes HTTP requests, particularly those containing message bodies.

Apache Traffic Server Vulnerabilities Detailed

CVE-2025-58136: HTTP POST Request DoS

The more immediate and disruptive of the two vulnerabilities is tracked as CVE-2025-58136. Discovered by security researcher Masakazu Kitajo, this flaw allows a seemingly innocuous HTTP POST request to trigger a complete crash of the entire ATS application. Given that POST requests are a standard method for web servers to receive data, this vulnerability presents a highly accessible attack vector for remote threat actors.

Exploitation of CVE-2025-58136 results in an instant Denial-of-Service condition, rendering the proxy server inoperable and effectively blocking legitimate users from accessing services reliant on the affected infrastructure.

CVE-2025-65114: Malformed Chunked Message Body HTTP Request Smuggling

The second vulnerability, identified as CVE-2025-65114, was uncovered by security researcher Katsutoshi Ikenoya. This flaw concerns the Apache Traffic Server’s inadequate handling of malformed chunked message bodies during data transmission. Attackers can leverage this improper processing to execute HTTP request smuggling attacks.

HTTP request smuggling is an advanced attack technique that enables malicious actors to manipulate the sequence and processing of HTTP requests. Such manipulation can bypass security controls, leading to consequences like web cache poisoning or unauthorized access to sensitive data on backend servers.

Affected Versions and Remediation

These vulnerabilities impact multiple active branches of the Apache Traffic Server. According to the official security advisory from the Apache Software Foundation, the affected software versions include ATS 9.0.0 through 9.2.12, as well as versions 10.0.0 through 10.1.1. Administrators overseeing these specific installations must prioritize immediate action to secure their network perimeters against potential exploitation.

The Apache Software Foundation strongly advises all administrators to upgrade their ATS installations to the latest secure releases. For those operating on the 9.x branch, an update to version 9.1.13 or later is recommended. Organizations utilizing the 10.x branch must upgrade to version 10.1.2 or newer to fully mitigate both threats.

For organizations unable to apply the full software updates immediately, a temporary workaround exists specifically for the DoS vulnerability, CVE-2025-58136. Administrators can prevent the server crash by setting the proxy.config.http.request_buffer_enabled parameter to 0. Notably, this is already the default value in the system configuration, meaning many servers might inherently be protected from this particular crash. However, it is crucial to understand that no workaround is available for the request smuggling vulnerability (CVE-2025-65114). Therefore, a complete software upgrade remains the only definitive strategy to secure the server environment against both identified threats.

What You Should Do

  • Immediately identify all Apache Traffic Server instances within your environment.
  • Verify if your ATS versions are within the affected ranges: 9.0.0-9.2.12 or 10.0.0-10.1.1.
  • Plan and execute an upgrade to ATS version 9.1.13+ or 10.1.2+ as soon as possible.
  • If immediate upgrade is not feasible, ensure the proxy.config.http.request_buffer_enabled parameter is set to 0 for partial protection against CVE-2025-58136.
  • Monitor Apache’s official security advisories for any further updates or recommendations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Google Bug Bounty Program Paid a Record $17 Million in 2023

Next Post

Critical Dgraph Database Flaw CVE-2024-4286 Lets Attackers Bypass Authentication

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us