- Description
- ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- traffic_server
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- security@apache.org
- CWE-400
- Hype score
- Not currently trending
🛑Happy to share my new finding - as part of Imperva's Offensive Team, in Apache Traffic Server via ESI plugin : CVE-2025-49763, high severity bug that enables a threat actor to remotely exhaust memory and crash a proxy instance via recursive ESI inclusion https://t.co/O6Tn2BsZ
@SillamYohann
22 Jun 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#CVE-2025-49763 - #Remote_DoS via #Memory_Exhaustion in #Apache Traffic Server via #ESI Plugin https://t.co/kbDCIBwPRe https://t.co/GIT07ix44c
@omvapt
21 Jun 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerability CVE-2025-49763 in Apache Traffic Server versions 9.0.0-9.2.10 & 10.0.0-10.0.5 can lead to memory exhaustion & DoS via ESI plugin. Proper upgrades & configs are essential. 🚨 #CyberThreat #Apache #US https://t.co/7Hmv4hMXu1
@TweetThreatNews
20 Jun 2025
58 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Apache Traffic ServerのESIプラグインに深刻な脆弱性(CVE-2025-49763)が発見された。 この脆弱性は、リモートからのDoS攻撃を可能にし、サーバーメモリを枯渇させることでサービス停止を引き起こす。
@yousukezan
19 Jun 2025
1427 Impressions
1 Retweet
5 Likes
1 Bookmark
0 Replies
0 Quotes
Two critical flaws in Apache Traffic Server (CVE-2025-31698, CVE-2025-49763) allow IP-based ACL bypass and remote DoS via ESI plugin. Update and configure immediately. #ApacheATS #Cybersecurity #Vulnerability #DoS #PatchNow https://t.co/U8V6Fs1Hne
@the_yellow_fall
19 Jun 2025
307 Impressions
0 Retweets
6 Likes
3 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AB2F8C0-3B8A-4C21-8358-4718FB3ECA5C",
"versionEndExcluding": "9.2.11",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5AF96465-2A06-4EC2-832C-36A094908691",
"versionEndExcluding": "10.0.6",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]