OESA-2025-1904

Apache Traffic Server (ATS) is a set of scalable HTTP proxy and caching servers from the Apache Foundation in the United States. Apache Traffic Server (ATS) versions 10.0.0 to 10.0.6 and 9.0.0 to 9.2.10 have access control error vulnerabilities due to the ACL configuration not using the IP address provided by the PROXY protocol.(CVE-2025-31698)

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.

Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.(CVE-2025-49763)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:24.03-LTS-SP2 / trafficserver

Package

Name: trafficserver
Purl: pkg:rpm/openEuler/trafficserver&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.2.11-1.oe2403sp2

Ecosystem specific

{
    "src": [
        "trafficserver-9.2.11-1.oe2403sp2.src.rpm"
    ],
    "aarch64": [
        "trafficserver-9.2.11-1.oe2403sp2.aarch64.rpm",
        "trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64.rpm",
        "trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64.rpm",
        "trafficserver-devel-9.2.11-1.oe2403sp2.aarch64.rpm",
        "trafficserver-perl-9.2.11-1.oe2403sp2.aarch64.rpm"
    ],
    "x86_64": [
        "trafficserver-9.2.11-1.oe2403sp2.x86_64.rpm",
        "trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64.rpm",
        "trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64.rpm",
        "trafficserver-devel-9.2.11-1.oe2403sp2.x86_64.rpm",
        "trafficserver-perl-9.2.11-1.oe2403sp2.x86_64.rpm"
    ]
}