Skip to main content

Traffic Server CVE-2025-31698

| EUVDEUVD-2025-18750 HIGH
Improper Access Control (CWE-284)
2025-06-19 security@apache.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 00:08 euvd
EUVD-2025-18750
Analysis Generated
Mar 15, 2026 - 00:08 vuln.today
CVE Published
Jun 19, 2025 - 10:15 nvd
HIGH 7.5

DescriptionCVE.org

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.

Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

AnalysisAI

CVE-2025-31698 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Technical ContextAI

CWE-284 (Improper Access Control). CVSS 7.5 indicates high severity.

RemediationAI

Monitor vendor channels for patch availability.

CVE-2015-3249 CRITICAL
9.8 Oct 30

The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of

CVE-2014-3525 CRITICAL
10.0 Aug 22

Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unkno

CVE-2015-5206 CRITICAL
9.8 Sep 13

Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unkn

CVE-2015-5168 CRITICAL
9.8 Sep 13

Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown imp

CVE-2014-3624 CRITICAL
9.8 Oct 30

Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to

CVE-2021-43082 CRITICAL
9.8 Nov 03

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Ap

CVE-2021-35474 CRITICAL
9.8 Jun 30

Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0

CVE-2020-1944 CRITICAL
9.8 Mar 23

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling at

CVE-2023-33934 CRITICAL
9.1 Aug 09

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.2.1. Rated critical severity

CVE-2024-35296 HIGH
8.2 Jul 26

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.0.0 th

CVE-2021-38161 HIGH
8.1 Nov 03

Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle a

CVE-2017-5659 HIGH
7.5 Apr 17

Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked enco

Vendor StatusVendor

Ubuntu

Priority: Medium
trafficserver
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
oracular ignored end of life, was needs-triage
plucky ignored end of life, was needs-triage
jammy needed -
noble needed -
upstream released 9.2.11
questing needed -

Debian

Bug #1108044
trafficserver
Release Status Fixed Version Urgency
bullseye vulnerable 8.1.10+ds-1~deb11u1 -
bullseye (security) vulnerable 8.1.11+ds-0+deb11u2 -
bookworm, bookworm (security) fixed 9.2.5+ds-0+deb12u3 -
sid vulnerable 9.2.5+ds-1 -
bookworm fixed 9.2.5+ds-0+deb12u3 -
(unstable) fixed (unfixed) -

Share

CVE-2025-31698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy