A security flaw in Apache Traffic Server (ATS) is targeting cloud service providers worldwide. The vulnerability, identified as CVE-2025-49763, exposes affected systems to denial-of-service (DoS) attacks that exploit a critical ACL issue in the server’s Edge Side Includes (ESI) plugin, enabling attackers to exhaust server memory and disrupt operations.
Apache Traffic Server is widely used as a high-performance, scalable caching proxy and traffic management system. The newly reported Apache Traffic Server vulnerability centers on the ESI plugin, a component designed to assemble web content at the edge dynamically. This feature, while valuable, contains a flaw in its processing of inclusion depth, a mechanism that controls how many nested ESI requests the server will follow.
Decoding CVE-2025-49763 Vulnerability
Attackers can craft malicious requests that recursively force the ESI plugin to process deeper inclusion layers than intended. This triggers excessive memory consumption, ultimately overwhelming the server’s resources and leading to a DoS condition that can take critical infrastructure offline.
In an official advisory, the Apache Software Foundation highlighted not only this flaw but also a related ACL issue affecting the PROXY protocol client IP address handling. These combined vulnerabilities pose a multifaceted threat to systems running vulnerable ATS versions.
Details of CVE-2025-49763 and Related Issues
- CVE-2025-49763: A remote DoS vulnerability via memory exhaustion in the ESI plugin.
- Affected Versions: ATS versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5.
- Reporter: The DoS flaw was reported by security researcher Yohann Sillam.
- Related ACL Issue: CVE-2025-31698, involving incorrect client IP address handling for access control, was reported by Masakazu Kitajo.
Mitigation Strategies and Recommendations
In response to these vulnerabilities, the Apache Software Foundation promptly released patched versions—ATS 9.2.11 and 10.0.6—that introduce new configurable settings aimed at mitigating the risks rather than applying an automatic fix. Users are strongly encouraged to upgrade to these versions or later releases.
Key mitigation steps include:
- Upgrading ATS: Organizations should update their servers to version 9.2.11 or 10.0.6 or above.
- Configuring ESI Plugin Limits: The new –max-inclusion-depth setting, defaulting to 3, limits the depth of nested ESI includes, effectively preventing infinite recursive processing that leads to memory exhaustion.
- Addressing the ACL Issue: For deployments using the PROXY protocol, administrators should configure the proxy.config.acl.subject setting to correctly determine which IP addresses are subject to access control lists (ACLs), as outlined in ip_allow.config and remap.config.
If left unaddressed, CVE-2025-49763 could allow remote attackers to incapacitate ATS servers by exhausting memory resources, causing service interruptions that impact user experience and potentially incur financial and reputational damage.
Conclusion
By promptly upgrading affected ATS versions and applying the recommended configuration changes, especially around the ESI plugin inclusion depth and ACL rules, organizations can reduce their exposure to disruptive DoS attacks.
Administrators running ATS versions 9.0.0 to 9.2.10 or 10.0.0 to 10.0.5 should prioritize these actions to protect their web infrastructure from the damaging effects of memory exhaustion-based attacks.
