AI description
CVE-2025-65114 is a denial-of-service (DoS) vulnerability affecting Apache Traffic Server, stemming from a flaw in how it handles malformed chunked messages during HTTP request processing. This vulnerability, classified under CWE-444 (Inconsistent Interpretation of HTTP Requests), enables request smuggling attacks. When Apache Traffic Server receives malformed chunked messages, it fails to properly validate and parse the chunk sizes and boundaries, leading to a discrepancy in how the proxy and backend servers interpret the HTTP requests. This flaw allows attackers to craft specially malformed chunked HTTP requests, potentially bypassing security controls, poisoning web caches, and gaining unauthorized access to sensitive data. The vulnerability impacts Apache Traffic Server versions 9.0.0 through 9.2.12 and 10.0.0 through 10.1.1.
- Description
- Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- traffic_server
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Severity
- HIGH
- security@apache.org
- CWE-444
- Hype score
- Not currently trending
⚠️ Vulnerabilidades en productos Apache ❗ CVE-2025-65114 ❗ CVE-2025-58136 ➡️ Más info: https://t.co/iiFwh4FGXs https://t.co/0Cw71xkIId
@CERTpy
20 Apr 2026
161 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Apache Traffic Server request smuggling (CVE-2025-65114) is fixed in 10.1.2. But the real problem is HTTP chunked parsing—and that will break again. Read more: 👉 https://t.co/spBVBnfEku #Security #Fedora https://t.co/ugaSm0xg8M
@Cezar_H_Linux
12 Apr 2026
141 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerabilities in Apache Traffic Server (CVE-2025-58136 & CVE-2025-65114) can lead to DoS and request smuggling attacks. Upgrade to the latest versions now! Link: https://t.co/rzvnWItsqE #Security #Vulnerability #Cyberattack #Upgrade #Apache #Software #Internet #Thr
@dailytechonx
7 Apr 2026
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ **Vulnerability Alert:** Apache Traffic Server (CVE-2025-58136, CVE-2025-65114) and Dgraph Database (CVE-2026-34976) 📅 **Timeline:** Disclosure: 2026-04-06, Patch: 2026-04-06 🆔 **CVE-2026-34976** | 📊 CVSS: 10.0 (Critical 🔴) 🆔 **CVE-2025-58136** 🆔 **CVE-2
@syedaquib77
6 Apr 2026
103 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ **Vulnerability Alert:** Apache Traffic Server Denial-of-Service and Request Smuggling Vulnerabilities 📅 **Timeline:** Disclosure: 2026-04-02, Patch: 2026-04-02 🆔 **CVE-2025-58136** | 📊 CVSS: 7.5 (HIGH 🟠) | 📈 EPSS: 12.25% 🆔 **CVE-2025-65114** | 📊 CVSS
@syedaquib77
6 Apr 2026
114 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ **Vulnerability Alert:** Apache Traffic Server — two high-severity DoS / HTTP request smuggling vulnerabilities (CVE-2025-58136, CVE-2025-65114) 📅 **Timeline:** Disclosure: 2026-04-02, Patch: 2026-04-02 🆔 **CVE-2025-58136** | 📊 CVSS: 7.5 (HIGH 🟠) | 📈 EPSS
@syedaquib77
6 Apr 2026
111 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ **Vulnerability Alert:** Apache Traffic Server — Two high-severity DoS/request-smuggling vulnerabilities (CVE-2025-58136, CVE-2025-65114) 📅 **Timeline:** Disclosure: 2026-04-02, Patch: 2026-04-02 🆔 **CVE-2025-58136** | 📊 CVSS: 7.5 (HIGH 🟠) | 📈 EPSS: 12.25
@syedaquib77
6 Apr 2026
108 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache Traffic Server fixes two CVSS 7.5 flaws (CVE-2025-58136 & CVE-2025-65114). Prevent DoS and request smuggling—update to 10.1.2 or 9.2.13 now! #ApacheTrafficServer #ATS #InfoSec #CyberSecurity #WebCache #RequestSmuggling #PatchAlert #SysAdmin https://t.co/i9XtjWdc2o h
@the_yellow_fall
3 Apr 2026
401 Impressions
1 Retweet
4 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache Traffic Server (ATS) is vulnerable to HTTP requests with body https://t.co/cu38yEAVUg CVE-2025-58136: A simple legitimate POST request causes a crash CVE-2025-65114: Malformed chunked message body allows request smuggling
@oss_security
3 Apr 2026
528 Impressions
1 Retweet
7 Likes
1 Bookmark
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "361CCF7A-CB22-4074-A902-779476856482",
"versionEndExcluding": "9.2.13",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA23F0DC-E368-4327-87A1-A0DCD8553AFF",
"versionEndExcluding": "10.1.2",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]