CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-31698 – Apache Traffic Server: Client IP address from PROXY protocol is not used for ACL
https://notcve.org/view.php?id=CVE-2025-31698
19 Jun 2025 — ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue. • https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-49763 – Apache Traffic Server: Remote DoS via memory exhaustion in ESI Plugin
https://notcve.org/view.php?id=CVE-2025-49763
19 Jun 2025 — ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue. ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory cons... • https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53868 – Apache Traffic Server: Malformed chunked message body allows request smuggling
https://notcve.org/view.php?id=CVE-2024-53868
03 Apr 2025 — Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue. • https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38311 – Apache Traffic Server: Request smuggling via pipelining after a chunked message body
https://notcve.org/view.php?id=CVE-2024-38311
06 Mar 2025 — Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56195 – Apache Traffic Server: Intercept plugins are not access controlled
https://notcve.org/view.php?id=CVE-2024-56195
06 Mar 2025 — Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56196 – Apache Traffic Server: ACL is not fully compatible with older versions
https://notcve.org/view.php?id=CVE-2024-56196
06 Mar 2025 — Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 10.0.4, which fixes the issue. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56202 – Apache Traffic Server: Expect header field can unreasonably retain resource
https://notcve.org/view.php?id=CVE-2024-56202
06 Mar 2025 — Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling, cache poisoning or incomplete dropping of privileges. • https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 • CWE-440: Expected Behavior Violation •
CVSS: 9.1EPSS: 1%CPEs: 2EXPL: 0CVE-2024-50306 – Apache Traffic Server: Server process can fail to drop privilege
https://notcve.org/view.php?id=CVE-2024-50306
14 Nov 2024 — Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue. Un valor de retorno sin marcar puede permitir que Apache Traffic Server conserve privilegios al iniciarse. Este problema afecta a Apache Traffic Server: de la versión 9.2.0 a la 9.2.5 y de la versión 10.0.0 a la 10.0.1. • https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y • CWE-252: Unchecked Return Value •