Apache Traffic Server: A simple legitimate POST request causes a...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

A bug in POST request handling causes a crash under a certain condition.

This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.

Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.

A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0).

Basic Information

ID CVE-2025-58136

Source apache

Published Apr 2, 2026 at 15:54

Modified Apr 2, 2026 at 18:13

Affected Product

Vendor Apache Software Foundation

Product Apache Traffic Server

Version 10.0.0

Affected Versions Apache Software Foundation Apache Traffic Server 10.0.0
Apache Software Foundation Apache Traffic Server 9.0.0

CWE Classification

CWE-670

References

lists.apache.org /thread/2s11roxlv1j8ph6q52rqo1klvl01n14q

{
    "lastseen": "",
    "description": "A bug in POST request handling causes a crash under a certain condition.\n\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.\n\nUsers are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.\n\nA workaround for older versions is to set\u00a0proxy.config.http.request_buffer_enabled to 0 (the default value is 0).",
    "published": "2026-04-02T15:54:47.013Z",
    "modified": "2026-04-02T18:13:21.125Z",
    "type": "cve",
    "title": "Apache Traffic Server: A simple legitimate POST request causes a crash",
    "source": "apache",
    "references": "https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q",
    "id": "CVE-2025-58136",
    "bulletinFamily": "",
    "cwe": [
        "CWE-670"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Traffic Server 10.0.0\nApache Software Foundation Apache Traffic Server 9.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Traffic Server",
    "version": "10.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Traffic Server: A simple legitimate POST request causes a crash_CVE-2025-58136