CVE-2025-65114
HTTP Request Smuggling in Apache Traffic Server via Malformed Chunked Messages
Publication date: 2026-04-02
Last updated on: 2026-04-06
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | traffic_server | From 10.0.0 (inc) to 10.1.2 (exc) |
| apache | traffic_server | From 9.0.0 (inc) to 9.2.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Traffic Server allows request smuggling when chunked messages are malformed.
Request smuggling is a technique where an attacker sends specially crafted HTTP requests that can bypass security controls or interfere with how requests are processed by the server.
How can this vulnerability impact me? :
The vulnerability can allow attackers to smuggle HTTP requests through Apache Traffic Server, potentially bypassing security controls, causing unexpected behavior, or enabling further attacks such as cache poisoning or unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Traffic Server to version 9.2.13 or 10.1.2, which fix the request smuggling issue caused by malformed chunked messages.