CVE-2025-58136

| EUVD-2025-209188 HIGH
2026-04-02 apache GHSA-wvq7-4f7c-q7wc
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Apr 02, 2026 - 16:30 vuln.today
EUVD ID Assigned
Apr 02, 2026 - 16:30 euvd
EUVD-2025-209188
CVE Published
Apr 02, 2026 - 15:54 nvd
HIGH 7.5

Tags

Apache Denial Of Service

Description

A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue. A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0).

Analysis

Denial of service in Apache Traffic Server 9.0.0-9.2.12 and 10.0.0-10.1.1 caused by improper handling of POST requests that triggers a server crash under specific conditions. The vulnerability affects all instances of the affected versions and requires no authentication or special privileges to exploit. Vendor-released patches are available in versions 9.2.13 and 10.1.2.

Technical Context

Apache Traffic Server is a high-performance, open-source HTTP proxy and caching server. The vulnerability resides in the POST request handling logic (CWE-670: Improper Handling of Incomplete Data or Missing Data), indicating a defect in how the server processes or validates HTTP POST message frames or request bodies during parsing. The affected versions span two major release branches (9.x and 10.x), suggesting the bug may have been introduced or persisted across refactored code paths. The workaround-disabling request buffering via proxy.config.http.request_buffer_enabled-implies the crash occurs within the request buffering subsystem when processing POST data under edge-case conditions (e.g., malformed body, unusual Content-Length values, or chunked encoding anomalies).

Affected Products

Apache Traffic Server versions 9.0.0 through 9.2.12 and 10.0.0 through 10.1.1 are affected (CPE: cpe:2.3:a:apache_software_foundation:apache_traffic_server:*:*:*:*:*:*:*:*). Apache Software Foundation advisory: https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q

Remediation

Vendor-released patches: upgrade Apache Traffic Server to version 9.2.13 or 10.1.2, depending on the currently deployed branch. For versions that cannot be immediately patched, apply the workaround by setting proxy.config.http.request_buffer_enabled to 0 in the proxy configuration file (note that this is the default value, so the issue likely manifests only under non-default configurations). Consult the vendor advisory at https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q for detailed upgrade and configuration instructions.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

CVE-2025-58136 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy