CVE-2025-49763

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache Traffic Server versions 9.0.0 through 9.2.10 Apache Traffic Server versions 10.0.0 through 10.0.5

Description The issue allows excessive memory consumption if malicious instructions are inserted due to the lack of a limit for maximum inclusion depth in the ESI plugin. This can be exploited, potentially leading to significant issues. Users can utilize a new setting for the plugin (--max-inclusion-depth) to limit the inclusion depth.

Recommendations For Apache Traffic Server versions 9.0.0 through 9.2.10, upgrade to version 9.2.11. For Apache Traffic Server versions 10.0.0 through 10.0.5, upgrade to version 10.0.6.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2025-49763

DSA-5948-1

OESA-2025-1731

OESA-2025-1732

OESA-2025-1904

OESA-2026-1019

Affected Products

Apache Traffic Server

Debian

CVE-2025-49763

Weakness Enumeration

Related Identifiers

Affected Products

References · 36