Skip to main content

Apache EUVD-2025-209190

| CVE-2025-65114 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-04-02 apache GHSA-5vvj-6v57-2369
Apache Information Disclosure Request Smuggling
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 16:30 euvd
EUVD-2025-209190
Analysis Generated
Apr 02, 2026 - 16:30 vuln.today
CVE Published
Apr 02, 2026 - 15:55 nvd
HIGH 7.5

DescriptionNVD

Apache Traffic Server allows request smuggling if chunked messages are malformed.

This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.

Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

AnalysisAI

Apache Traffic Server versions 9.0.0-9.2.12 and 10.0.0-10.1.1 are vulnerable to HTTP request smuggling through malformed chunked transfer encoding, allowing attackers to bypass security controls and smuggle malicious requests. The vulnerability stems from improper parsing of chunked messages (CWE-444: Inconsistent Interpretation of HTTP Requests) and affects all deployments using these versions as reverse proxies or intermediaries. Apache has released patched versions 9.2.13 and 10.1.2; no public exploit code or active exploitation has been reported at the time of analysis.

Technical ContextAI

The vulnerability exploits inconsistent handling of HTTP chunked transfer encoding in Apache Traffic Server, a high-performance reverse proxy and caching server. CWE-444 describes the root cause: when HTTP requests contain malformed chunk delimiters or size declarations, Traffic Server's parsing logic diverges from backend servers' interpretation, allowing attackers to inject request boundaries that are invisible to one interpreter but visible to another. This creates a desynchronization window where an attacker can inject a secondary request that bypasses authentication, WAF rules, or access controls on the backend. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_traffic_server) covers all configurations using the vulnerable code paths for HTTP/1.1 chunked encoding.

RemediationAI

Upgrade to Apache Traffic Server version 9.2.13 or 10.1.2 (or later) immediately. For version 9.x users, upgrade to 9.2.13 or newer; for version 10.x users, upgrade to 10.1.2 or newer. Refer to the official Apache Traffic Server release notes and the advisory at https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q for detailed upgrade instructions. As a temporary mitigation, organizations unable to patch immediately should restrict network access to Traffic Server to trusted upstream servers or apply WAF rules to block requests with suspicious chunked encoding patterns, though such workarounds do not fully eliminate the risk.

More from same product – last 7 days

CVE-2025-48977 HIGH
8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
CVE-2026-42782 HIGH
7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
CVE-2026-43827 MEDIUM
5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM
5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue
CVE-2026-44598 MEDIUM
5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

Share

EUVD-2025-209190 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy