CVE-2025-49763: Apache Traffic Server Vulnerability Enables Memory Exhaustion Attacks


A security flaw in Apache Traffic Server (ATS) is targeting cloud service providers worldwide. The vulnerability, identified as CVE-2025-49763, exposes affected systems to denial-of-service (DoS) attacks that exploit a critical ACL issue in the server’s Edge Side Includes (ESI) plugin, enabling attackers to exhaust server memory and disrupt operations.Apache Traffic Server is widely used as a high-performance, scalable caching proxy and traffic management system. The newly reported Apache Traffic Server vulnerability centers on the ESI plugin, a component designed to assemble web content at the edge dynamically. This feature, while valuable, contains a flaw in its processing of inclusion depth, a mechanism that controls how many nested ESI requests the server will follow.

Read More


thumb-image

Solutions