ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.

Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. 
This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00074}

epss

{'score': 0.00088}


Tue, 01 Jul 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache traffic Server
CPEs cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache traffic Server

Fri, 20 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Thu, 19 Jun 2025 10:15:00 +0000

Type Values Removed Values Added
Title trafficserver: Apache Traffic Server PROXY Protocol ACL Bypass Apache Traffic Server: Client IP address from PROXY protocol is not used for ACL

Fri, 20 Jun 2025 03:15:00 +0000

Type Values Removed Values Added
Title trafficserver: Apache Traffic Server PROXY Protocol ACL Bypass
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

threat_severity

Moderate


Thu, 19 Jun 2025 10:45:00 +0000

Type Values Removed Values Added
Description ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.  This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
Weaknesses CWE-284
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-06-20T13:32:19.681Z

Reserved: 2025-03-31T23:45:24.580Z

Link: CVE-2025-31698

cve-icon Vulnrichment

Updated: 2025-06-20T13:31:47.401Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-19T10:15:20.980

Modified: 2025-07-01T20:14:42.687

Link: CVE-2025-31698

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-06-19T10:07:46Z

Links: CVE-2025-31698 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-06-20T13:24:21Z