{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49763", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-06-09T23:10:28.606Z", "datePublished": "2025-06-19T10:07:15.450Z", "dateUpdated": "2025-06-20T13:56:54.082Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Traffic Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "10.0.5", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.2.10", "status": "affected", "version": "9.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Yohann Sillam"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.</p>Users can use a new setting for the plugin (--max-inclusion-depth) to limit it.<br><p>This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.</p><p>Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.</p>"}], "value": "ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\n\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-06-19T10:07:15.450Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Traffic Server: Remote DoS via memory exhaustion in ESI Plugin", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-20T13:56:03.623928Z", "id": "CVE-2025-49763", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T13:56:54.082Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-49763", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-20T13:56:03.623928Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T13:56:20.661Z"}}], "cna": {"title": "Apache Traffic Server: Remote DoS via memory exhaustion in ESI Plugin", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Yohann Sillam"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Traffic Server", "versions": [{"status": "affected", "version": "10.0.0", "versionType": "semver", "lessThanOrEqual": "10.0.5"}, {"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.2.10"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\n\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.</p>Users can use a new setting for the plugin (--max-inclusion-depth) to limit it.<br><p>This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.</p><p>Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-06-19T10:07:15.450Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49763", "state": "PUBLISHED", "dateUpdated": "2025-06-20T13:56:54.082Z", "dateReserved": "2025-06-09T23:10:28.606Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-06-19T10:07:15.450Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AB2F8C0-3B8A-4C21-8358-4718FB3ECA5C", "versionEndExcluding": "9.2.11", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AF96465-2A06-4EC2-832C-36A094908691", "versionEndExcluding": "10.0.6", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\n\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue."}, {"lang": "es", "value": "El complemento ESI no tiene l\u00edmite de profundidad m\u00e1xima de inclusi\u00f3n, lo que permite un consumo excesivo de memoria si se insertan instrucciones maliciosas. Los usuarios pueden usar una nueva configuraci\u00f3n del complemento (--max-inclusion-depth) para limitarlo. Este problema afecta a Apache Traffic Server: de la 10.0.0 a la 10.0.5 y de la 9.0.0 a la 9.2.10. Se recomienda actualizar a la versi\u00f3n 9.2.11 o 10.0.6, que soluciona el problema."}], "id": "CVE-2025-49763", "lastModified": "2025-07-01T20:15:05.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-06-19T10:15:21.887", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "trafficserver: Traffic Server ESI Inclusion Depth Vulnerability", "id": "2373845", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373845"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.", "A flaw was found in trafficserver. The Edge Side Includes (ESI) plugin lacks a limit on maximum inclusion depth, allowing a remote attacker to trigger excessive memory consumption by inserting malicious instructions. This condition occurs due to the plugin's inability to restrict the nesting of ESI includes, potentially leading to a denial of service. The vulnerability is triggered via a crafted ESI request."], "mitigation": {"lang": "en:us", "value": "To mitigate this flaw use a new setting for the plugin (--max-inclusion-depth) to limit it."}, "name": "CVE-2025-49763", "public_date": "2025-06-19T10:07:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-49763"], "statement": "This issue is rated as Important because it allows a remote, unauthenticated attacker to impact the availability of the service without requiring user interaction. While it requires a specific plugin to be enabled, ESI is a common feature for environments that serve dynamic content. The vulnerability does not lead to a compromise of confidentiality or integrity, preventing a \"Critical\" rating. Apache Traffic Server is primarily available in Red Hat environments through the community-supported EPEL repository, which is a key factor in this assessment.", "threat_severity": "Important"}

{"created": "2025-06-20T13:24:21.523304+00:00", "updated": "2025-06-20T14:09:47.249344+00:00", "vendors": ["apache", "apache$PRODUCT$apache_traffic_server"]}