The Apache Software Foundation has announced urgent security patches to fix two critical vulnerabilities in the Apache Traffic Server (ATS), a widely-used high-performance web proxy cache. These vulnerabilities, if left unattended, allow remote attackers to initiate Denial-of-Service (DoS) attacks or conduct sophisticated HTTP request smuggling against enterprise networks.
Understanding the Security Flaws
The first of these vulnerabilities, identified as CVE-2025-58136, was uncovered by security researcher Masakazu Kitajo. It involves a flaw where a standard HTTP POST request can crash the ATS application, leading to a Denial-of-Service scenario. Since POST requests are commonly used to send data to web servers, this flaw is particularly accessible to attackers.
When exploited, this vulnerability can incapacitate the entire proxy server, cutting off access for all users dependent on it. This highlights the critical need for immediate attention from administrators overseeing affected systems.
Impact of HTTP Request Smuggling
The second vulnerability, tracked as CVE-2025-65114, was discovered by security researcher Katsutoshi Ikenoya. This flaw relates to the improper handling of malformed chunked message bodies during data transmission. Attackers can exploit this to perform HTTP request smuggling, a technique that allows them to alter the processing of HTTP request sequences.
Such manipulation can lead to bypassing security measures, poisoning web caches, or unauthorized access to sensitive data on downstream servers. The potential ramifications of this vulnerability are severe, necessitating immediate action.
Recommended Security Measures
Administrators managing ATS versions 9.0.0 through 9.2.12, and 10.0.0 through 10.1.1, are advised to update to the latest secure releases. Specifically, users of the 9.x branch should upgrade to version 9.1.13 or newer, while those on the 10.x branch need to update to version 10.1.2 or later.
For those unable to implement the updates immediately, a temporary workaround for the DoS vulnerability (CVE-2025-58136) involves setting the proxy.config.http.request_buffer_enabled parameter to 0, which is the default configuration. Unfortunately, there is no such workaround for the request smuggling flaw (CVE-2025-65114), making a full software upgrade essential.
The Apache Software Foundation emphasizes the importance of these updates to maintain network security. Administrators are urged to act swiftly to protect their systems from potential threats posed by these vulnerabilities.
