CVE-2025-31698 in Traffic Serverinfo

Summary

by MITRE • 06/19/2025

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.

Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.  This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/26/2025

The vulnerability described in CVE-2025-31698 represents a critical access control flaw within Apache Traffic Server that undermines the security of network traffic filtering mechanisms. This issue specifically impacts the handling of IP address information when the proxy protocol is enabled, creating a significant bypass opportunity for unauthorized network access attempts. The flaw exists in the configuration processing logic where access control lists defined in ip_allow.config or remap.config files fail to properly utilize IP addresses provided through the PROXY protocol, effectively rendering the intended access controls ineffective.

The technical implementation of this vulnerability stems from how Apache Traffic Server processes network connections when the PROXY protocol is enabled. When a client connects through a proxy that supports the PROXY protocol, the original client IP address is transmitted in a specific format that includes the source and destination IP addresses along with port information. However, the affected versions of Apache Traffic Server do not correctly parse or utilize these PROXY protocol IP addresses when evaluating access control lists. This misconfiguration means that ACL rules are evaluated against the proxy server's IP address rather than the actual client IP address, allowing attackers to bypass intended restrictions and potentially gain unauthorized access to protected resources.

From an operational perspective, this vulnerability creates a dangerous scenario where network administrators believe they have properly restricted access to their services through carefully configured access control lists. The flaw essentially allows malicious actors to appear as legitimate clients by leveraging the PROXY protocol to present false IP addresses while the system continues to enforce access controls based on the proxy's IP address instead of the actual client. This issue affects multiple release versions including the 9.0.0 through 9.2.10 range and 10.0.0 through 10.0.6, indicating it has been present for several major releases and likely went undetected by many organizations relying on Apache Traffic Server for their edge routing and caching services.

The impact of this vulnerability extends beyond simple access control bypasses and can potentially enable more sophisticated attacks including denial of service, data exfiltration, or privilege escalation depending on the specific implementation of the access control lists. Organizations using Apache Traffic Server with PROXY protocol support may be unknowingly allowing unauthorized access to sensitive resources, particularly in environments where access control is critical for compliance requirements or security policies. This vulnerability aligns with CWE-284 Access Control Issues, specifically addressing improper access control mechanisms when processing network protocol information. The issue also maps to ATT&CK technique T1071.004 Application Layer Protocol: DNS, as the compromised access controls could enable attackers to bypass network filtering and potentially use DNS-based attack vectors. The recommended remediation involves upgrading to version 9.2.11 or 10.0.6 which implements proper handling of PROXY protocol IP addresses in access control list evaluation, ensuring that ACL rules are enforced against the actual client IP addresses rather than intermediate proxy addresses. This fix addresses the root cause by properly parsing PROXY protocol information and using the correct IP address for access control decision making, thereby restoring the intended security posture for organizations using this popular caching and proxy server solution.

Disclosure

06/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00448

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!