Description
Apache Traffic Server allows request smuggling if chunked messages are malformed. 

This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.

Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Smuggling
Action: Upgrade
AI Analysis

Impact

Apache Traffic Server processes HTTP request bodies that use chunked transfer encoding. When a client delivers a malformed chunked message, the server misinterprets request boundaries, allowing the attack to smuggle a second request into the same flow. This flaw is an example of CWE‑444, a vulnerability arising from HTTP request smuggling that can subvert normal request handling.

Affected Systems

The affected releases are Apache Traffic Server 9.0.0 through 9.2.12 and 10.0.0 through 10.1.1. All builds of these versions that employ the default chunked parsing logic are vulnerable, affecting any installation exposed to untrusted HTTP traffic.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, while the EPSS score is below 1% and no public exploitation has been seen. It is not listed in the CISA KEV catalog. No authentication or elevated privileges are required; any network client that can communicate with the server over HTTP can trigger the issue, making remote‑facing deployments especially at risk.

Generated by OpenCVE AI on April 6, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Traffic Server to version 9.2.13 or 10.1.2 to apply the vendor fix.
  • Verify that the upgrade has been applied by checking the server version string.
  • If an immediate upgrade is not possible, restrict inbound traffic to trusted networks or use a reverse proxy that validates request headers before forwarding traffic to the backend.

Generated by OpenCVE AI on April 6, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6199-1 trafficserver security update
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache traffic Server
Vendors & Products Apache
Apache traffic Server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.
Title Apache Traffic Server: Malformed chunked message body allows request smuggling
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Apache Traffic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-02T18:10:10.171Z

Reserved: 2025-11-18T00:11:27.195Z

Link: CVE-2025-65114

cve-icon Vulnrichment

Updated: 2026-04-02T18:08:34.686Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:21.087

Modified: 2026-04-06T16:05:24.443

Link: CVE-2025-65114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:07Z

Weaknesses