EUVD-2025-209190

| CVE-2025-65114 HIGH
2026-04-02 apache GHSA-5vvj-6v57-2369
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 02, 2026 - 16:30 vuln.today
EUVD ID Assigned
Apr 02, 2026 - 16:30 euvd
EUVD-2025-209190
CVE Published
Apr 02, 2026 - 15:55 nvd
HIGH 7.5

Tags

Apache Request Smuggling Information Disclosure

Description

Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

Analysis

Apache Traffic Server versions 9.0.0-9.2.12 and 10.0.0-10.1.1 are vulnerable to HTTP request smuggling through malformed chunked transfer encoding, allowing attackers to bypass security controls and smuggle malicious requests. The vulnerability stems from improper parsing of chunked messages (CWE-444: Inconsistent Interpretation of HTTP Requests) and affects all deployments using these versions as reverse proxies or intermediaries. Apache has released patched versions 9.2.13 and 10.1.2; no public exploit code or active exploitation has been reported at the time of analysis.

Technical Context

The vulnerability exploits inconsistent handling of HTTP chunked transfer encoding in Apache Traffic Server, a high-performance reverse proxy and caching server. CWE-444 describes the root cause: when HTTP requests contain malformed chunk delimiters or size declarations, Traffic Server's parsing logic diverges from backend servers' interpretation, allowing attackers to inject request boundaries that are invisible to one interpreter but visible to another. This creates a desynchronization window where an attacker can inject a secondary request that bypasses authentication, WAF rules, or access controls on the backend. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_traffic_server) covers all configurations using the vulnerable code paths for HTTP/1.1 chunked encoding.

Affected Products

Apache Traffic Server versions 9.0.0 through 9.2.12 and 10.0.0 through 10.1.1 are affected (CPE: cpe:2.3:a:apache_software_foundation:apache_traffic_server). The vulnerability impacts all deployments of these versions regardless of configuration. Users of earlier versions (pre-9.0.0) or later patched versions (9.2.13+ or 10.1.2+) are not affected. Additional details and confirmation are available in the Apache Security Advisory at https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q.

Remediation

Upgrade to Apache Traffic Server version 9.2.13 or 10.1.2 (or later) immediately. For version 9.x users, upgrade to 9.2.13 or newer; for version 10.x users, upgrade to 10.1.2 or newer. Refer to the official Apache Traffic Server release notes and the advisory at https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q for detailed upgrade instructions. As a temporary mitigation, organizations unable to patch immediately should restrict network access to Traffic Server to trusted upstream servers or apply WAF rules to block requests with suspicious chunked encoding patterns, though such workarounds do not fully eliminate the risk.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

EUVD-2025-209190 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy