Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
A bug in POST request handling causes a crash under a certain condition.
This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.
Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.
A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0).
AnalysisAI
Denial of service in Apache Traffic Server 9.0.0-9.2.12 and 10.0.0-10.1.1 caused by improper handling of POST requests that triggers a server crash under specific conditions. The vulnerability affects all instances of the affected versions and requires no authentication or special privileges to exploit. Vendor-released patches are available in versions 9.2.13 and 10.1.2.
Technical ContextAI
Apache Traffic Server is a high-performance, open-source HTTP proxy and caching server. The vulnerability resides in the POST request handling logic (CWE-670: Improper Handling of Incomplete Data or Missing Data), indicating a defect in how the server processes or validates HTTP POST message frames or request bodies during parsing. The affected versions span two major release branches (9.x and 10.x), suggesting the bug may have been introduced or persisted across refactored code paths. The workaround-disabling request buffering via proxy.config.http.request_buffer_enabled-implies the crash occurs within the request buffering subsystem when processing POST data under edge-case conditions (e.g., malformed body, unusual Content-Length values, or chunked encoding anomalies).
RemediationAI
Vendor-released patches: upgrade Apache Traffic Server to version 9.2.13 or 10.1.2, depending on the currently deployed branch. For versions that cannot be immediately patched, apply the workaround by setting proxy.config.http.request_buffer_enabled to 0 in the proxy configuration file (note that this is the default value, so the issue likely manifests only under non-default configurations). Consult the vendor advisory at https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q for detailed upgrade and configuration instructions.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209188
GHSA-wvq7-4f7c-q7wc