CVE-2025-49763
Publication date 19 June 2025
Last updated 25 June 2025
Ubuntu priority
Description
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| trafficserver | 26.04 LTS resolute | Not in release |
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage |
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.5 · High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-49763
- https://www.openwall.com/lists/oss-security/2025/06/17/7
- https://github.com/apache/trafficserver/commit/2db8b8dc96e57fc292850f77b9783630cc9590b9 (9.2.11-rc0)
- https://github.com/apache/trafficserver/commit/7f178de7de19498c1c320ea9b62c2f32355f3893 (master)