Proxy: Bypassing restrictions in Apache Traffic Server possible

Two security vulnerabilities have been discovered in Apache Traffic Server (ATS), an open source proxy server. Attackers can abuse them to bypass access restrictions or carry out denial-of-service attacks. Updated sources are available to patch the vulnerabilities.

The developers have published information on the security leaks on the oss-sec mailing list. One vulnerability affects the PROXY protocol. For the application of access controls (ACLs), the ATS does not use the client IP address, which may allow unauthorized people to gain access (CVE-2025-31698, no CVSS value, no risk assessment). The updated software now offers a new configuration option (proxy.config.acl.subjects) to specify which IP address is used for the ACLs of the “ip_allow.config” and “remap.config” options and classified as trustworthy.

The second vulnerability affects the ESI plug-in (Edge Side Includes). Attackers can provoke a denial of service situation, as the plug-in may consume all memory. Apparently, it is possible to target an infinite inclusion depth (CVE-2025-49763, no CVSS, no risk assessment). The software update adds a new setting for the plug-in, the parameter “--max-inclusion-depth” with the default value 3. This should prevent infinite inclusions.

Affected software versions

Apache Traffic Server versions 9.0.0 to 9.2.10 and 10.0.0 to 10.0.5; the fixes include versions 9.2.11 and 10.0.6 or newer. To fix the vulnerabilities, admins must configure the new options; however, the default value for the inclusion depth of the ESI plug-in should be sufficient.

The CERT-Bund of the German Federal Office for Information Security (BSI) has carried out an assessment of the risk posed by the vulnerabilities. According to the CERT-Bund security notice, the CVSS value is 8.2, which corresponds to a “high” risk. IT managers should therefore quickly update to the new Apache traffic server versions and configure the new options if they use the two functions.

(dmk)