CVE-2025-49763
HIGHApache Traffic Server 9.0.0-9.2.10 and 10.0.0-10.0.5 - Uncontrolled Resource Consumption in ESI Plugin
Title source: llmDescription
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
References (1)
Core 1
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8
Scores
CVSS v3
7.5
EPSS
0.0337
EPSS Percentile
87.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (1)
apache/traffic_server
9.0.0 - 9.2.11
Published
Jun 19, 2025
Tracked Since
Feb 18, 2026