Description
Apache Traffic Server allows request smuggling if chunked messages are malformed. 

This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.

Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Request Smuggling
Action: Immediate Patch
AI Analysis

Impact

Apache Traffic Server is vulnerable to request smuggling when HTTP requests contain malformed chunked message bodies. The flaw allows an attacker to send specially crafted HTTP requests that the server interprets inconsistently, causing requests to be split or mis‑delivered to downstream services.

Affected Systems

The vulnerability exists in Apache Traffic Server versions 9.0.0 through 9.2.12 and 10.0.0 through 10.1.1. Users should upgrade to version 9.2.13 or 10.1.2, which contain the fix.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. No EPSS score is available, and the fault is not listed in the CISA KEV catalog, implying that publicly known exploitation has not been reported. Based on the description, the likely attack vector involves a malicious HTTP client on the network sending malformed chunked requests. Until the patch is applied, the risk remains moderate to high because the flaw permits manipulation of request routing that could compromise proper processing of client requests.

Generated by OpenCVE AI on April 2, 2026 at 21:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Traffic Server to version 9.2.13 or 10.1.2 to fix the request smuggling issue.
  • Verify the new version by checking the server version and reviewing logs for any remaining parsing issues.
  • Monitor HTTP traffic for abnormal request patterns that could indicate smuggling attempts.
  • If an immediate upgrade is not feasible, consider blocking or filtering incoming requests that contain malformed chunked headers at the network perimeter as a temporary measure.

Generated by OpenCVE AI on April 2, 2026 at 21:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache traffic Server
Vendors & Products Apache
Apache traffic Server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.
Title Apache Traffic Server: Malformed chunked message body allows request smuggling
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Apache Traffic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-02T18:10:10.171Z

Reserved: 2025-11-18T00:11:27.195Z

Link: CVE-2025-65114

cve-icon Vulnrichment

Updated: 2026-04-02T18:08:34.686Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:21.087

Modified: 2026-04-03T16:10:23.730

Link: CVE-2025-65114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:40Z

Weaknesses