CVE-2025-31698
HIGHApache Traffic Server <9.2.10, <10.0.6 - Info Disclosure
Title source: llmDescription
ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
References (1)
Core 1
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8
Scores
CVSS v3
7.5
EPSS
0.0075
EPSS Percentile
73.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (1)
apache/traffic_server
9.0.0 - 9.2.11
Published
Jun 19, 2025
Tracked Since
Feb 18, 2026