PT-2025-14566 · Apache+1 · Apache Traffic Server+1

Published

2025-04-02

Updated

2025-11-24

CVE-2024-53868

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Apache Traffic Server and Affected Versions Apache Traffic Server versions 9.2.0 through 9.2.9 Apache Traffic Server versions 10.0.0 through 10.0.4

Description Apache Traffic Server is susceptible to HTTP request smuggling when processing malformed chunked messages. This issue can allow an attacker to send a hidden HTTP request, potentially leading to cache poisoning and security bypasses. The vulnerability exists due to improper handling of HTTP request headers. There is no information available regarding the number of potentially affected devices or any real-world incidents where this issue has been exploited.

Recommendations Upgrade to version 9.2.10 or 10.0.5 to resolve the issue.

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

BDU:2025-03879

CVE-2024-53868

DSA-5948-1

OESA-2025-1415

OESA-2025-1416

Affected Products

Apache Traffic Server

Debian

PT-2025-14566 · Apache+1 · Apache Traffic Server+1

CVE-2024-53868

Weakness Enumeration

Related Identifiers

Affected Products

References · 33