anonhaven
Ad

CVE-2025-65114

HIGH CVSS 3.1: 7.5 EPSS 0.21%
Updated Apr 06, 2026
Apache
Parameter Value
CVSS 7.5 (HIGH)
Affected Versions 10.0.0 — 9.2.13
Fixed In 9.2.13
Type CWE-444
Vendor Apache
Public PoC No

Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-444

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Apache Traffic_Server
cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
 9.0.0 9.2.13
Apache Traffic_Server
cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
 10.0.0 10.1.2

References 1

https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q
security@apache.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-25219

Apache

6.5

CVE-2025-54550

Apache

8.1

CVE-2026-31924

Apache

5.3

CVE-2026-31923

Apache

7.5

CVE-2026-31908

Apache

9.1