Apache Traffic Server Flaw Allows Attackers to Launch DoS Attacks

The Apache Software Foundation has released emergency security updates to address two high-severity vulnerabilities in Apache Traffic Server (ATS), a widely deployed, high-performance web proxy and caching solution used across enterprise environments.

Disclosed on April 2, 2026, the flaws could allow remote, unauthenticated threat actors to crash servers or conduct stealthy HTTP request smuggling attacks.

The Vulnerabilities at a Glance

Security researchers Masakazu Kitajo and Katsutoshi Ikenoya identified both issues, which stem from the way ATS processes HTTP requests containing body data.

Both vulnerabilities affect the ATS 9.x branch (versions 9.0.0 through 9.2.12) and the ATS 10.x branch (versions 10.0.0 through 10.1.1).

CVE-2025-58136

The first flaw, tracked as CVE-2025-58136, is classified under CWE-670 (Always-Incorrect Control Flow Implementation).

It exposes a critical bug in ATS’s POST request handling logic under certain conditions, and the server enters an unrecoverable state and crashes entirely.

Because the attack requires no authentication, no special privileges, and no user interaction, it carries a CVSS 3.1 base score vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, meaning full availability impact with negligible attacker effort.

Any exposed ATS instance can be taken offline simply by sending a crafted POST request, making this an attractive tool for threat actors targeting enterprise uptime and application availability.

CVE-2025-65114

The second vulnerability, CVE-2025-65114, is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests).

The flaw arises from ATS’s failure to properly validate and parse malformed chunked transfer encoding in HTTP message bodies.

This inconsistency creates a discrepancy between how the proxy and backend servers interpret request boundaries, a condition that attackers can exploit to smuggle unauthorized requests past the proxy layer.

Successful exploitation can enable threat actors to bypass security controls, poison web caches, perform request/response splitting, or intercept sensitive data from co-located users on the same server.

Notably, no public exploits have been reported in the wild yet, though the critical role ATS plays in enterprise traffic management makes it a high-value target.

The Apache Software Foundation officially released patched versions on April 2, 2026.

Administrators running the 9.x branch must upgrade to version 9.2.13, while organizations on the 10.x branch must upgrade to version 10.1.2 to remediate both vulnerabilities.

For teams unable to patch immediately, a partial workaround exists for CVE-2025-58136: setting the configuration parameter proxy.config.http.request_buffer_enabled to 0 (which is, notably, the default value) disables the vulnerable code path and prevents the server crash.

However, no configuration-level workaround exists for CVE-2025-65114; upgrading to a fixed version remains the only effective remediation for the request smuggling flaw.

Apache Traffic Server is a backbone component for many enterprise web infrastructures, acting as a caching reverse proxy for high-traffic applications.

These two vulnerabilities, one that trivially crashes the server and another that allows silent request manipulation, represent a compounded risk when unpatched.

Security teams should prioritize immediate version upgrades and audit any ATS deployments exposed to untrusted traffic.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Apache Traffic Server Flaw Allows Attackers to Launch DoS Attacks appeared first on Cyber Security News.