Apache Traffic Server: Malformed chunked message body allows request smuggling

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Description

Apache Traffic Server allows request smuggling if chunked messages are malformed.

This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.

Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

Basic Information

ID CVE-2025-65114

Source apache

Published Apr 2, 2026 at 15:55

Modified Apr 2, 2026 at 18:10

Affected Product

Vendor Apache Software Foundation

Product Apache Traffic Server

Version 9.0.0

Affected Versions Apache Software Foundation Apache Traffic Server 9.0.0
Apache Software Foundation Apache Traffic Server 10.0.0

CWE Classification

CWE-444

References

lists.apache.org /thread/2s11roxlv1j8ph6q52rqo1klvl01n14q

{
    "lastseen": "",
    "description": "Apache Traffic Server allows request smuggling if chunked messages are malformed.\u00a0\n\nThis issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.\n\nUsers are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.",
    "published": "2026-04-02T15:55:27.280Z",
    "modified": "2026-04-02T18:10:10.171Z",
    "type": "cve",
    "title": "Apache Traffic Server: Malformed chunked message body allows request smuggling",
    "source": "apache",
    "references": "https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q",
    "id": "CVE-2025-65114",
    "bulletinFamily": "",
    "cwe": [
        "CWE-444"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Traffic Server 9.0.0\nApache Software Foundation Apache Traffic Server 10.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Traffic Server",
    "version": "9.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Traffic Server: Malformed chunked message body allows request smuggling_CVE-2025-65114