Apache Traffic Server Vulnerability Allows DoS Attacks Through Memory Exhaustion
A newly disclosed vulnerability in Apache Traffic Server (ATS) has raised serious concerns among enterprise users and cloud providers, as attackers can exploit a flaw in the Edge Side Includes (ESI) plugin to trigger denial-of-service (DoS) attacks by exhausting server memory.
The vulnerability, tracked as CVE-2025-49763, affects multiple versions of ATS and has prompted urgent mitigation guidance from the Apache Software Foundation.
Vulnerability Overview
The CVE-2025-49763 vulnerability centers on the ESI plugin, which enables dynamic web content assembly at the edge.
.png
"Apache Traffic Server Vulnerability Allows DoS Attacks Through Memory Exhaustion 2")
Attackers can craft malicious requests that exploit the way ESI handles inclusion depth, causing the server to recursively process ESI includes until available memory is depleted. This results in a DoS condition, potentially taking critical web infrastructure offline.
| CVE ID | Description | Affected Versions | Reporter | Mitigation |
| CVE-2025-49763 | Remote DoS via memory exhaustion in ESI Plugin | 9.0.0–9.2.10, 10.0.0–10.0.5 | Yohann Sillam | Upgrade to 9.2.11/10.0.6+ and configure –max-inclusion-depth |
The issue was reported by Yohann Sillam, while a related ACL issue was flagged by Masakazu Kitajo (CVE-2025-31698).
Both vulnerabilities have been acknowledged by the Apache Software Foundation, which has released updates and configuration options to help users mitigate the risks.
Affected Versions and Exposure
The vulnerability impacts the following ATS versions:
- 9.0.0 to 9.2.10
- 10.0.0 to 10.0.5
Organizations running these versions are at risk if they use the ESI plugin without adequate configuration to limit inclusion depth.
Mitigation and Recommendations
To address the vulnerability, Apache has released patched versions—9.2.11 and 10.0.6—which introduce new configuration settings rather than an automatic fix. Users must take the following actions:
- Upgrade to ATS 9.2.11 or 10.0.6 (or later).
- Configure the ESI plugin using the new –max-inclusion-depth setting. The default value is 3, which helps prevent infinite or excessive inclusion loops.
- Review PROXY protocol settings and use the new proxy.config.acl.subjects option to control which IP addresses are subject to ACL rules, mitigating related access control risks.
Administrators are urged to review their server configurations and apply the new settings to ensure their deployments are protected from memory exhaustion attacks.
If left unmitigated, this vulnerability could allow remote attackers to render ATS servers unresponsive, disrupting web services, degrading performance, and potentially incurring financial losses for affected organizations.
This vulnerability highlights the importance of not only upgrading to patched software versions but also actively configuring new security settings introduced by vendors.
Organizations relying on Apache Traffic Server should act swiftly to mitigate this memory exhaustion risk and ensure the resilience of their web infrastructure.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
