Description
A bug in POST request handling causes a crash under a certain condition.

This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.

Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.

A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0).
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A bug in Apache Traffic Server’s handling of POST requests can cause the server to terminate when receiving a legitimate request, resulting in an availability outage. The flaw involves improper release of a reference counted resource and is identified as CWE‑670. The crash occurs under a specific internal condition triggered by a normal HTTP POST operation.

Affected Systems

Apache Traffic Server versions 10.0.0 through 10.1.1 and 9.0.0 through 9.2.12 are vulnerable. The issue is resolved in 10.1.2 and 9.2.13. For older releases the recommended mitigation is to set proxy.config.http.request_buffer_enabled to 0, the default value, to prevent the crash.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity. The EPSS score of less than 1% indicates the likelihood of exploitation is currently low and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network access capable of sending a POST request; this inference is derived from the description stating that a legitimate POST request can trigger the crash.

Generated by OpenCVE AI on April 6, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Traffic Server to at least version 10.1.2 or 9.2.13.
  • If upgrading is not immediately possible, set proxy.config.http.request_buffer_enabled to 0 to prevent the crash.
  • Verify that the server no longer crashes after applying the patch or configuration change.
  • Monitor system logs for any remaining crash events and apply future vendor releases promptly.

Generated by OpenCVE AI on April 6, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6199-1 trafficserver security update
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache traffic Server
Vendors & Products Apache
Apache traffic Server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue. A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0).
Title Apache Traffic Server: A simple legitimate POST request causes a crash
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Apache Traffic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-02T18:13:21.125Z

Reserved: 2025-08-25T21:36:46.557Z

Link: CVE-2025-58136

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:20.933

Modified: 2026-04-06T16:06:11.020

Link: CVE-2025-58136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:08Z

Weaknesses