CVE-2025-49763
Apache Traffic Server: Remote DoS via memory exhaustion in ESI Plugin
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it.
This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2025-06-09 CVE Reserved
- 2025-06-19 CVE Published
- 2025-06-20 CVE Updated
- 2025-07-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8 | 2025-06-19 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Traffic Server Search vendor "Apache Software Foundation" for product "Apache Traffic Server" | >= 10.0.0 <= 10.0.5 Search vendor "Apache Software Foundation" for product "Apache Traffic Server" and version " >= 10.0.0 <= 10.0.5" | en |
Affected
| ||||||
Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Traffic Server Search vendor "Apache Software Foundation" for product "Apache Traffic Server" | >= 9.0.0 <= 9.2.10 Search vendor "Apache Software Foundation" for product "Apache Traffic Server" and version " >= 9.0.0 <= 9.2.10" | en |
Affected
|