Apache Traffic Server Vulnerability Let Attackers Trigger DoS Attack via Memory Exhaustion
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical security vulnerability has been discovered in Apache Traffic Server that allows remote attackers to trigger denial-of-service (DoS) attacks through memory exhaustion.
The vulnerability, tracked as CVE-2025-49763, affects the Edge Side Includes (ESI) plugin and poses significant risks to organizations running affected versions of the popular HTTP caching proxy server.
DoS Attack via Memory Exhaustion
Security researcher Yohann Sillam identified the remote DoS vulnerability in Apache Traffic Server’s ESI processing component.
The vulnerability stems from insufficient depth controls in the ESI plugin’s inclusion mechanism, potentially allowing attackers to craft malicious requests that consume excessive server memory resources.
ESI is a markup language designed to tackle the problem of dynamic web content that changes frequently, making this vulnerability particularly concerning for high-traffic environments.
The CVE-2025-49763 vulnerability enables attackers to exploit the ESI plugin’s inclusion processing without proper limitations, leading to memory exhaustion scenarios.
When triggered, the vulnerability can cause the Apache Traffic Server to become unresponsive or crash entirely, effectively denying service to legitimate users.
This type of attack vector is especially dangerous because it can be executed remotely without requiring authentication or privileged access to the target system.
Risk Factors Details Affected ProductsApache Traffic Server versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5ImpactRemote Denial of Service (DoS) Exploit Prerequisites1. ESI plugin enabled
2. Network access to vulnerable server
3. Ability to send crafted HTTP/HTTPS requestsCVSS 3.1 Score7.5 (High)
Affected Versions
The vulnerability impacts Apache Traffic Server versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5.
Organizations running these versions in production environments face the immediate risk of service disruption. The Apache Software Foundation, the vendor behind Apache Traffic Server, has confirmed that all installations within this version range are susceptible to the memory exhaustion attack.
The security issue is compounded by an additional Access Control List (ACL) issue that was discovered alongside the ESI vulnerability.
While specific details about the ACL problem remain limited, the combination of both vulnerabilities creates a more complex security landscape for administrators to navigate.
The dual nature of these security flaws emphasizes the critical importance of immediate remediation efforts.
Mitigation Strategies
Apache Traffic Server users should immediately upgrade to the following versions:
However, the Apache Software Foundation notes that the new versions provide settings to mitigate issues rather than completely eliminating them, requiring administrators to implement proper configuration changes.
For organizations utilizing the ESI plugin, a new configuration parameter –max-inclusion-depth has been introduced with a default value of 3.
This setting limits the maximum inclusion depth and prevents infinite inclusion scenarios that could lead to memory exhaustion.
Administrators must configure this parameter appropriately based on their specific use cases while ensuring adequate protection against exploitation attempts.
The Apache Software Foundation recommends that users evaluate their ESI plugin usage and implement the new depth limitations as part of their security hardening procedures.
#Apache #Cyber_Security #Cyber_Security_News #Dos_attack #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Apache Traffic Server Vulnerability Let Attackers Trigger DoS Attack via Memory Exhaustion
Author: Guru BaranA critical security vulnerability has been discovered in Apache Traffic Server that allows remote attackers to trigger denial-of-service (DoS) attacks through memory exhaustion.
The vulnerability, tracked as CVE-2025-49763, affects the Edge Side Includes (ESI) plugin and poses significant risks to organizations running affected versions of the popular HTTP caching proxy server.
DoS Attack via Memory Exhaustion
Security researcher Yohann Sillam identified the remote DoS vulnerability in Apache Traffic Server’s ESI processing component.
The vulnerability stems from insufficient depth controls in the ESI plugin’s inclusion mechanism, potentially allowing attackers to craft malicious requests that consume excessive server memory resources.
ESI is a markup language designed to tackle the problem of dynamic web content that changes frequently, making this vulnerability particularly concerning for high-traffic environments.
The CVE-2025-49763 vulnerability enables attackers to exploit the ESI plugin’s inclusion processing without proper limitations, leading to memory exhaustion scenarios.
When triggered, the vulnerability can cause the Apache Traffic Server to become unresponsive or crash entirely, effectively denying service to legitimate users.
This type of attack vector is especially dangerous because it can be executed remotely without requiring authentication or privileged access to the target system.
Risk Factors Details Affected ProductsApache Traffic Server versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5ImpactRemote Denial of Service (DoS) Exploit Prerequisites1. ESI plugin enabled
2. Network access to vulnerable server
3. Ability to send crafted HTTP/HTTPS requestsCVSS 3.1 Score7.5 (High)
Affected Versions
The vulnerability impacts Apache Traffic Server versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5.
Organizations running these versions in production environments face the immediate risk of service disruption. The Apache Software Foundation, the vendor behind Apache Traffic Server, has confirmed that all installations within this version range are susceptible to the memory exhaustion attack.
The security issue is compounded by an additional Access Control List (ACL) issue that was discovered alongside the ESI vulnerability.
While specific details about the ACL problem remain limited, the combination of both vulnerabilities creates a more complex security landscape for administrators to navigate.
The dual nature of these security flaws emphasizes the critical importance of immediate remediation efforts.
Mitigation Strategies
Apache Traffic Server users should immediately upgrade to the following versions:
- Apache Traffic Server 9.x: Patched in 9.2.11 and later versions.
- Apache Traffic Server 10.x: Patched in 10.0.6 and later versions.
However, the Apache Software Foundation notes that the new versions provide settings to mitigate issues rather than completely eliminating them, requiring administrators to implement proper configuration changes.
For organizations utilizing the ESI plugin, a new configuration parameter –max-inclusion-depth has been introduced with a default value of 3.
This setting limits the maximum inclusion depth and prevents infinite inclusion scenarios that could lead to memory exhaustion.
Administrators must configure this parameter appropriately based on their specific use cases while ensuring adequate protection against exploitation attempts.
The Apache Software Foundation recommends that users evaluate their ESI plugin usage and implement the new depth limitations as part of their security hardening procedures.
#Apache #Cyber_Security #Cyber_Security_News #Dos_attack #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
