Apache Traffic Server Patches “Double-Header” DoS and Request Smuggling Flaws
Do Son 
Apache Traffic Server, the high-performance web proxy cache responsible for keeping the modern web fast, is facing a double-header of security challenges. Trusted by ISPs and global enterprises to maximize bandwidth by caching content at the edge of the network, the platform has recently disclosed two distinct vulnerabilities that could lead to service disruptions or sophisticated data interception.
Both issues carry a CVSS score of 7.5, signaling a “High” severity level for administrators maintaining these critical caching nodes.
The reported flaws impact different aspects of how the server handles incoming web traffic:
- POST Request Instability (CVE-2025-58136): A bug was discovered in the way the server handles POST requests under specific conditions. If triggered, this flaw causes the server to crash, potentially leading to a Denial of Service (DoS) for users relying on that edge node.
- Request Smuggling (CVE-2025-65114): Perhaps more concerning for data integrity, a second vulnerability allows for “request smuggling”. This occurs when “chunked messages are malformed,” potentially allowing an attacker to slip unauthorized commands past security filters or interfere with other users’ web sessions.
The vulnerabilities have a broad reach across several major release branches:
- 10.x Branch: Versions 10.0.0 through 10.1.1 are affected by both flaws.
- 9.x Branch: Versions 9.0.0 through 9.2.12 are also vulnerable.
The Apache Software Foundation has released patched versions that resolve both security issues. Users should move to:
- Version 10.1.2
- Version 9.2.13
For those unable to perform an immediate upgrade, a specific workaround exists for the POST request crash (CVE-2025-58136). Administrators can mitigate the risk by ensuring the following configuration is set:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
