CVE-2025-49763 in Traffic Serverinfo

Summary

by MITRE • 06/19/2025

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.

Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/26/2025

The vulnerability identified as CVE-2025-49763 represents a critical design flaw in the ESI (Edge Side Includes) plugin functionality of Apache Traffic Server. This issue stems from the absence of a configurable limit on maximum inclusion depth, creating a potential avenue for malicious actors to exploit memory consumption patterns through carefully crafted instructions. The flaw exists in versions ranging from 10.0.0 through 10.0.5 and from 9.0.0 through 9.2.10, affecting a significant portion of the traffic server's user base. The vulnerability operates by allowing recursive inclusion operations that can spiral out of control without proper depth constraints, leading to unbounded memory allocation that can exhaust system resources.

The technical implementation of this vulnerability involves the ESI plugin's handling of nested inclusion directives where each inclusion can potentially trigger additional inclusions without proper boundary checks. This recursive behavior, when exploited with maliciously constructed ESI templates, can cause the system to allocate increasingly larger amounts of memory with each recursive level. The lack of a maximum inclusion depth parameter creates a path where attackers can craft requests that force the server to continuously process nested includes, consuming memory at an exponential rate. The fix implemented in versions 9.2.11 and 10.0.6 introduces the --max-inclusion-depth configuration parameter, which serves as a direct mitigation against this specific attack vector.

From an operational impact perspective, this vulnerability poses significant risks to system availability and performance stability. When exploited, the excessive memory consumption can lead to system crashes, denial of service conditions, and potential system instability that affects all users of the affected Apache Traffic Server installations. The vulnerability aligns with CWE-400, which categorizes the issue as an Uncontrolled Resource Consumption vulnerability, and can be mapped to ATT&CK technique T1499.004 for resource exhaustion attacks. Organizations running affected versions face potential downtime and service disruption, particularly in high-traffic environments where ESI processing is actively utilized.

The recommended mitigation strategy involves immediate upgrading to the patched versions 9.2.11 or 10.0.6, which incorporate the necessary --max-inclusion-depth parameter. Administrators should also implement monitoring for unusual memory consumption patterns and consider implementing additional controls such as rate limiting for ESI processing requests. The fix addresses the root cause by introducing a configurable depth limit that prevents recursive inclusion operations from consuming excessive system resources, thereby maintaining server stability and preventing the exploitation pathway that could lead to complete service disruption. Organizations should verify their current installations and ensure proper configuration of the new parameter to prevent future exploitation attempts while maintaining normal operational functionality.

Disclosure

06/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00632

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!