CVE-2025-49763

EPSS 0.32%
Published 19.06.2025 10:15:21
Last modified 01.07.2025 20:15:05
Source security@apache.org
Teams watchlist Login
Open Login

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.

Users can use a new setting for the plugin (--max-inclusion-depth) to limit it.
This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6,  which fixes the issue.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Traffic Server Version >= 9.0.0 < 9.2.11

Apache ≫ Traffic Server Version >= 10.0.0 < 10.0.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.32%	0.546

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-49763

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49763

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49763

EUVD