Apache Traffic Server flaws can let attackers crash servers or smuggle requests, Apache warns

Administrators running vulnerable versions of Apache Traffic Server should patch now. Apache has disclosed two security flaws that can let remote attackers trigger a denial-of-service condition or attempt HTTP request smuggling, depending on the bug and the server setup.

The first issue, CVE-2025-58136, affects how Apache Traffic Server handles certain POST requests. Apache says the bug can cause the server to crash under a specific condition, which means a remote attacker could knock the proxy offline and disrupt access for legitimate users.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The second issue, CVE-2025-65114, involves malformed chunked message bodies. Apache says that flaw can lead to HTTP request smuggling, a more complex attack that can confuse how front-end and back-end systems process requests and, in some environments, help attackers bypass controls or tamper with downstream traffic.

Affected versions and patch guidance

Both vulnerabilities affect Apache Traffic Server 9.0.0 through 9.2.12 and 10.0.0 through 10.1.1. Apache recommends upgrading to 9.2.13 or 10.1.2, which contain fixes for both issues.

That upgrade advice matters because Apache Traffic Server often sits in front of busy web infrastructure as a caching proxy and traffic management layer. When software in that position fails, the blast radius can spread across multiple applications and users at once. This is an inference based on the product’s role and the impact Apache describes for the crash bug.

For teams that cannot patch immediately, Apache says there is a temporary mitigation for CVE-2025-58136. Setting proxy.config.http.request_buffer_enabled to 0 stops the crash path, and Apache notes that 0 is already the default value. There is no workaround for CVE-2025-65114, so upgrading remains the only complete fix for the request smuggling risk.

What each flaw does

The denial-of-service bug looks easier to understand and potentially easier to abuse. Apache’s description says a simple legitimate POST request can trigger the crash in the affected builds, which lowers the barrier for attackers looking to disrupt exposed services.

The request smuggling flaw may prove more dangerous in layered environments because those attacks can create mismatches between how different systems parse the same request. In practice, that can open the door to cache poisoning, hidden request injection, or access to data that a front-end control should have blocked.

What admins should do now

• Check whether your ATS deployment runs versions 9.0.0 through 9.2.12 or 10.0.0 through 10.1.1.
• Upgrade to Apache Traffic Server 9.2.13 or 10.1.2 as soon as possible.
• If you cannot patch immediately, confirm that proxy.config.http.request_buffer_enabled is set to 0 to reduce the DoS risk from CVE-2025-58136.
• Do not rely on configuration changes for CVE-2025-65114 because Apache has not published a workaround for that issue.
• Review logs and unusual proxy behavior if your ATS instance faces internet traffic or protects high-value applications. This last step is prudent operational advice based on the affected software’s role, not a direct Apache quote.

FAQ