Apache Traffic Control: ReDoS issue in Traffic Router configuration

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.

This issue affects Apache Traffic Control: all versions.

People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Basic Information

ID CVE-2025-61581

Source apache

Published Oct 16, 2025 at 08:40

Modified Oct 17, 2025 at 13:54

Affected Product

Vendor Apache Software Foundation

Product Apache Traffic Control

Affected Versions Apache Software Foundation Apache Traffic Control 0

CWE Classification

CWE-1333

References

lists.apache.org /thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp

{
    "lastseen": "",
    "description": "** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.\n\nThis issue affects Apache Traffic Control: all versions.\n\nPeople with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
    "published": "2025-10-16T08:40:11.865Z",
    "modified": "2025-10-17T13:54:36.239Z",
    "type": "cve",
    "title": "Apache Traffic Control: ReDoS issue in Traffic Router configuration",
    "source": "apache",
    "references": "https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp",
    "id": "CVE-2025-61581",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1333"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Traffic Control 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Traffic Control",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Traffic Control: ReDoS issue in Traffic Router configuration_CVE-2025-61581