Apache Traffic Server Flaw Allowed Attackers to Trigger Denial-of-Service Attacks
The Apache Software Foundation has released critical security updates to address two vulnerabilities in Apache Traffic Server (ATS).
Disclosed on April 2, 2026, these flaws could allow remote threat actors to trigger denial-of-service (DoS) conditions or execute HTTP request smuggling attacks.
The vulnerabilities stem from how the server processes HTTP requests that contain body data.
Understanding the Vulnerabilities
Security researchers Masakazu Kitajo and Katsutoshi Ikenoya discovered two distinct issues affecting how ATS handles web traffic.
The first vulnerability, tracked as CVE-2025-58136, allows an attacker to crash the server simply by sending a legitimate POST request.
Because it requires no special authentication, this flaw poses a severe risk for denial-of-service attacks. Threat actors could easily exploit this to disrupt enterprise networks and take applications offline.
The second vulnerability, identified as CVE-2025-65114, is an HTTP request smuggling flaw caused by the mishandling of malformed chunked message bodies.
Request smuggling is a highly dangerous technique that allows attackers to interfere with how different servers interpret HTTP request boundaries.
This can enable threat actors to bypass security controls, poison web caches, or intercept sensitive data from other users connected to the same server.
Apache Traffic Server is a popular, high-performance web proxy and caching server, making these vulnerabilities a significant concern for enterprise environments.
Administrators are strongly advised to check their deployments. The affected software versions include the ATS 9.x branch (from 9.0.0 through 9.2.12) and the ATS 10.x branch (from 10.0.0 through 10.1.1).
Mitigations and Workarounds
To secure their infrastructure, network administrators must upgrade their ATS installations immediately.
Users operating on the 9.x branch should update to version 9.1.13 or newer. Meanwhile, organizations utilizing the 10.x branch must upgrade to version 10.1.2 or later to ensure complete protection against both threats.
If immediate patching is not feasible, there is a temporary workaround for the denial-of-service vulnerability (CVE-2025-58136).
Administrators can prevent the server crash by setting the configuration parameter proxy.config.http.request_buffer_enabled to 0, which is notably the default value in standard setups.
However, there is no configuration workaround available for the request smuggling vulnerability (CVE-2025-65114). Because of this limitation, upgrading the software remains the only definitive way to secure the server.