The Apache Software Foundation recently announced the release of critical security updates aimed at addressing two significant vulnerabilities in its popular Apache Traffic Server (ATS). These vulnerabilities were disclosed on April 2, 2026, and present serious risks that could be exploited by remote threat actors. Specifically, attackers could trigger denial-of-service (DoS) conditions or execute sophisticated HTTP request smuggling attacks. Both issues arise from how the server handles HTTP requests that contain body data, which could have severe implications for organizations relying on the software.
Understanding the Vulnerabilities
Security researchers Masakazu Kitajo and Katsutoshi Ikenoya uncovered two distinct vulnerabilities affecting Apache Traffic Server’s ability to manage web traffic. The first, tracked under CVE-2025-58136, poses a critical risk as it allows attackers to crash the server by sending a legitimate POST request. Notably, this flaw does not require any special authentication, making it incredibly accessible for malicious users. As such, it represents a severe risk for enterprises that utilize the ATS for their networks, as an attacker could potentially disrupt services and take applications offline with relative ease.
The second vulnerability, identified as CVE-2025-65114, is associated with HTTP request smuggling—a technique that allows attackers to manipulate how different servers interpret the boundaries of HTTP requests. This vulnerability arises from the mishandling of malformed chunked message bodies. The implications of such an exploit are dire; attackers can bypass security controls, poison web caches, or even intercept sensitive data flowing from other users connected to the same server. Given that Apache Traffic Server is a high-performance web proxy and caching server, these vulnerabilities undoubtedly raise significant concerns for enterprise environments that depend on it for secure and efficient web traffic management.
Recommendations for Users
In light of these vulnerabilities, it is imperative for administrators to swiftly check their ATS deployments. The affected software versions include the ATS 9.x branch (from 9.0.0 through 9.2.12) and the ATS 10.x branch (from 10.0.0 through 10.1.1). Administrators are strongly urged to upgrade their ATS installations immediately to mitigate potential risks. Specifically, organizations running on the 9.x branch must update to version 9.1.13 or newer, while those using the 10.x branch should upgrade to version 10.1.2 or later. These updates are crucial to ensure complete protection against the identified vulnerabilities.
For users who may not be able to apply these updates immediately, there is a temporary workaround available for the denial-of-service vulnerability (CVE-2025-58136). Administrators can prevent the server from crashing by setting the configuration parameter proxy.config.http.request_buffer_enabled to 0. This is often the default setting in standard setups, which could provide immediate but limited relief from the threat.
However, it is essential to recognize that there is no configuration workaround for the request smuggling vulnerability (CVE-2025-65114). As a result, the only reliable method for securing the server against this particular threat remains the software upgrade.
In conclusion, the vulnerabilities disclosed in Apache Traffic Server serve as a stark reminder of the ongoing threat landscape that organizations must navigate. With remote attacks becoming increasingly sophisticated, administrators must remain vigilant and proactive in securing their infrastructures. The Apache Software Foundation’s prompt response in releasing critical updates highlights the importance of timely action in addressing vulnerabilities. Organizations that rely on ATS are urged not to delay in implementing these updates, as doing so can mean the difference between maintaining secure operations and falling victim to disruptive cyber-attacks.
For continued updates and the latest information, stakeholders are encouraged to follow relevant sources on social media platforms. This will help keep them informed about any further developments in the cybersecurity landscape, ensuring that they can take the necessary actions to safeguard their operations.