Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.
Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.
Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
AnalysisAI
The ESI (Edge Side Includes) plugin in Apache Traffic Server lacks enforcement of maximum inclusion depth limits, allowing attackers to craft malicious ESI instructions that trigger excessive recursive inclusions and cause denial-of-service through memory exhaustion. This vulnerability affects Apache Traffic Server versions 9.0.0-9.2.10 and 10.0.0-10.0.5, with a CVSS score of 7.5 indicating high availability impact. The vulnerability is remotely exploitable without authentication and can be mitigated by upgrading to patched versions (9.2.11 or 10.0.6) or configuring the new --max-inclusion-depth setting.
Technical ContextAI
The ESI (Edge Side Includes) plugin in Apache Traffic Server processes server-side include directives to dynamically assemble web content. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption), specifically the absence of a maximum depth limit for nested ESI include operations. When processing ESI markup with deeply nested <esi:include> tags, the parser recursively fetches and includes content without bounds, leading to unbounded memory allocation. ESI is commonly deployed in edge caching and content delivery scenarios (CPE: cpe:2.7.a:apache:traffic_server). The plugin's lack of depth validation means an attacker can craft ESI payloads with arbitrary nesting levels (e.g., <esi:include src="url"><esi:include src="url">...</esi:include></esi:include>) causing the server to exhaust available memory during the inclusion resolution process.
RemediationAI
Upgrade Apache Traffic Server to version 9.2.11 (for 9.x branch) or 10.0.6 (for 10.x branch); priority: CRITICAL Configuration Mitigation: If upgrade is not immediately possible, apply the new --max-inclusion-depth parameter to the ESI plugin configuration to enforce a reasonable maximum nesting depth (recommended: 5-10 levels depending on application requirements); notes: This setting must be added to Traffic Server configuration files or startup parameters for the ESI plugin Network Mitigation: Implement rate limiting and request size limits at load balancers or reverse proxies upstream of Traffic Server to reject ESI requests with unusually deep nesting patterns or large payload sizes; notes: Monitor for malformed ESI payloads in access logs Monitoring: Deploy memory and CPU usage monitoring alerts on Traffic Server instances to detect DoS attempts exploiting this vulnerability; watch for rapid memory growth correlated with ESI request patterns
More in Traffic Server
View allThe HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of
Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unkno
Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unkn
Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown imp
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Ap
Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling at
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.2.1. Rated critical severity
Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.0.0 th
Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle a
Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked enco
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| jammy | needed | - |
| questing | needed | - |
| plucky | ignored | end of life, was needs-triage |
| noble | needed | - |
| upstream | released | 9.2.11 |
Debian
Bug #1108044| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 8.1.10+ds-1~deb11u1 | - |
| bullseye (security) | vulnerable | 8.1.11+ds-0+deb11u2 | - |
| bookworm, bookworm (security) | fixed | 9.2.5+ds-0+deb12u3 | - |
| sid | vulnerable | 9.2.5+ds-1 | - |
| bookworm | fixed | 9.2.5+ds-0+deb12u3 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18741