CVE-2025-61581
- Source
- https://cve.org/CVERecord?id=CVE-2025-61581
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61581.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-61581
- Aliases
- Downstream
- Related
- Published
- 2025-10-16T09:15:35.670Z
- Modified
- 2026-04-10T05:32:37.406656Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.
This issue affects Apache Traffic Control: all versions.
People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- References
Affected packages
Git / github.com/apache/incubator-trafficcontrol
Affected versions
1.*
1.1.0-release
1.1.1-hotfix
1.1.1-release
1.1.2-release
RELEASE-1.*
RELEASE-1.4.0-RC0
RELEASE-1.5.0-RC0
RELEASE-1.6.0-RC0
RELEASE-1.7.0-RC0
RELEASE-2.*
RELEASE-2.2.0-RC0
RELEASE-4.*
RELEASE-4.0.0-RC0
RELEASE-5.*
RELEASE-5.0.0-RC0
RELEASE-8.*
RELEASE-8.0.0
RELEASE-8.0.0-RC0
RELEASE-8.0.0-RC1
RELEASE-8.0.0-RC2
RELEASE-8.0.0-RC3
RELEASE-8.0.0-RC4
RELEASE-8.0.0-RC5
RELEASE-8.0.0-RC6
RELEASE-8.0.1
RELEASE-8.0.1-RC0
RELEASE-8.0.1-RC1
RELEASE-8.0.2
RELEASE-8.0.2-RC0
traffic_monitor-1.*
traffic_monitor-1.1.1
traffic_ops-release-1.*
traffic_ops-release-1.1.2
traffic_ops-release-1.1.3
traffic_ops-release-1.1.5
traffic_ops-release-1.1.6
traffic_router-1.*
traffic_router-1.1.1
traffic_router-1.1.2
v1.*
v1.1.3
v8.*
v8.0.0
v8.0.0-rc1
v8.0.0-rc2
v8.0.0-rc3
v8.0.0-rc4
v8.0.0-rc5
v8.0.0-rc6
v8.0.1
v8.0.1-rc0
v8.0.1-rc1
v8.0.2
v8.0.2-rc0