CVE-2025-58136
POST Request Handling Crash Vulnerability in Apache Traffic Server
Publication date: 2026-04-02
Last updated on: 2026-04-06
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | traffic_server | From 10.0.0 (inc) to 10.1.2 (exc) |
| apache | traffic_server | From 9.0.0 (inc) to 9.2.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a bug in the handling of POST requests in Apache Traffic Server. Under certain conditions, this bug causes the server to crash.
How can this vulnerability impact me? :
The impact of this vulnerability is that the affected Apache Traffic Server instances may crash when processing certain POST requests. This can lead to denial of service, disrupting normal operations and availability of services relying on the server.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache Traffic Server to version 10.1.2 or 9.2.13, which contain the fix.
As a workaround for older versions, set the configuration parameter proxy.config.http.request_buffer_enabled to 0 (which is the default value).