EUVD-2025-18741CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
Analysis
The ESI (Edge Side Includes) plugin in Apache Traffic Server lacks enforcement of maximum inclusion depth limits, allowing attackers to craft malicious ESI instructions that trigger excessive recursive inclusions and cause denial-of-service through memory exhaustion. This vulnerability affects Apache Traffic Server versions 9.0.0-9.2.10 and 10.0.0-10.0.5, with a CVSS score of 7.5 indicating high availability impact. The vulnerability is remotely exploitable without authentication and can be mitigated by upgrading to patched versions (9.2.11 or 10.0.6) or configuring the new --max-inclusion-depth setting.
Technical Context
The ESI (Edge Side Includes) plugin in Apache Traffic Server processes server-side include directives to dynamically assemble web content. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption), specifically the absence of a maximum depth limit for nested ESI include operations. When processing ESI markup with deeply nested <esi:include> tags, the parser recursively fetches and includes content without bounds, leading to unbounded memory allocation. ESI is commonly deployed in edge caching and content delivery scenarios (CPE: cpe:2.7.a:apache:traffic_server). The plugin's lack of depth validation means an attacker can craft ESI payloads with arbitrary nesting levels (e.g., <esi:include src="url"><esi:include src="url">...</esi:include></esi:include>) causing the server to exhaust available memory during the inclusion resolution process.
Affected Products
Traffic Server (['9.0.0 through 9.2.10', '10.0.0 through 10.0.5'])
Remediation
Upgrade Apache Traffic Server to version 9.2.11 (for 9.x branch) or 10.0.6 (for 10.x branch); priority: CRITICAL Configuration Mitigation: If upgrade is not immediately possible, apply the new --max-inclusion-depth parameter to the ESI plugin configuration to enforce a reasonable maximum nesting depth (recommended: 5-10 levels depending on application requirements); notes: This setting must be added to Traffic Server configuration files or startup parameters for the ESI plugin Network Mitigation: Implement rate limiting and request size limits at load balancers or reverse proxies upstream of Traffic Server to reject ESI requests with unusually deep nesting patterns or large payload sizes; notes: Monitor for malformed ESI payloads in access logs Monitoring: Deploy memory and CPU usage monitoring alerts on Traffic Server instances to detect DoS attempts exploiting this vulnerability; watch for rapid memory growth correlated with ESI request patterns
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| jammy | needed | - |
| questing | needed | - |
| plucky | ignored | end of life, was needs-triage |
| noble | needed | - |
| upstream | released | 9.2.11 |
Debian
Bug #1108044| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 8.1.10+ds-1~deb11u1 | - |
| bullseye (security) | vulnerable | 8.1.11+ds-0+deb11u2 | - |
| bookworm, bookworm (security) | fixed | 9.2.5+ds-0+deb12u3 | - |
| sid | vulnerable | 9.2.5+ds-1 | - |
| bookworm | fixed | 9.2.5+ds-0+deb12u3 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today