CVE-2025-49763

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:traffic_server::::::::
	cpe:2.3:a:apache:traffic_server::::::::

History

01 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-19 10:15

Updated : 2025-07-01 20:15

NVD link : CVE-2025-49763

Mitre link : CVE-2025-49763

CVE.ORG link : CVE-2025-49763

JSON object : View

Products Affected

apache

traffic_server

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2025-49763", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-06-19T10:15:21.887", "references": [{"url": "https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\n\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue."}, {"lang": "es", "value": "El complemento ESI no tiene l\u00edmite de profundidad m\u00e1xima de inclusi\u00f3n, lo que permite un consumo excesivo de memoria si se insertan instrucciones maliciosas. Los usuarios pueden usar una nueva configuraci\u00f3n del complemento (--max-inclusion-depth) para limitarlo. Este problema afecta a Apache Traffic Server: de la 10.0.0 a la 10.0.5 y de la 9.0.0 a la 9.2.10. Se recomienda actualizar a la versi\u00f3n 9.2.11 o 10.0.6, que soluciona el problema."}], "lastModified": "2025-07-01T20:15:05.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7AB2F8C0-3B8A-4C21-8358-4718FB3ECA5C", "versionEndExcluding": "9.2.11", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5AF96465-2A06-4EC2-832C-36A094908691", "versionEndExcluding": "10.0.6", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}