A newly identified vulnerability in Apache Traffic Server (ATS) allows attackers to initiate denial-of-service (DoS) attacks by exhausting server memory. The vulnerability, CVE-2025-49763, affects the Edge Side Includes (ESI) plugin and could lead to significant disruptions for enterprise users and cloud providers. Let’s examine the details of this vulnerability and how to mitigate it.

Vulnerability Overview

The CVE-2025-49763 vulnerability resides in the ESI plugin of Apache Traffic Server. The ESI plugin is designed to enable dynamic web content assembly at the edge, enhancing the flexibility and performance of web applications. However, attackers can exploit a flaw in how ESI handles inclusion depth.

Specifically, attackers can craft malicious requests that cause the server to process ESI recursively, including. This recursive processing continues until the available memory is exhausted, resulting in a DoS condition. Such a condition can render critical web infrastructure offline, leading to service disruptions and potential financial losses.

Root Cause

The root cause of this vulnerability is the insufficient depth control within the ESI plugin’s inclusion mechanism. The ESI plugin allows for the inclusion of other resources. An attacker can create a request that includes nested resources circularly or deeply without proper limitations. Each inclusion consumes server memory, and with enough recursion, the server’s memory resources are depleted.

As a result, the Apache Traffic Server becomes unresponsive or crashes entirely, denying service to legitimate users. This attack is hazardous because it can be executed remotely without authentication or privileged access.

This attack vector is particularly dangerous as it can be carried out remotely without needing authentication or elevated access to the target system.

Affected Versions

The vulnerability affects the following versions of Apache Traffic Server:

• 9.0.0 through 9.2.10
• 10.0.0 through 10.0.5

Organizations running these versions in production environments are at immediate risk of service disruption. The Apache Software Foundation has confirmed that all installations within this version range are susceptible to the memory exhaustion attack.

Tactics, Techniques and Procedures (TTPs)

The relevant MITRE ATT&CK information includes:

• TA0040 – Impact: Attackers aim to disrupt service availability.
• T1498 – Denial of Service: Exploiting the ESI plugin to cause memory exhaustion, leading to a denial-of-service condition.

Impact & Exploit Potential

Successful exploitation of this vulnerability can render Apache Traffic Server unresponsive or cause it to crash completely, resulting in a denial of service for legitimate users. This attack vector is particularly dangerous as it can be carried out remotely without authentication or elevated access to the target system.

Mitigation Strategies

To address this vulnerability, Apache Traffic Server users should take the following steps:

1. Upgrade ATS: Upgrade to Apache Traffic Server 9.2.11 or later for the 9.x branch, and 10.0.6 or later for the 10.x branch.
2. Configure ESI Plugin: Configure the ESI plugin using the new –max-inclusion-depth setting. This setting limits the maximum inclusion depth and prevents infinite inclusion scenarios. The default value is 3.
3. Review PROXY Protocol Settings: Examine PROXY protocol settings and utilize the new proxy.config.acl.subjects option to control which IP addresses are subject to ACL rules. This helps mitigate related access control risks.

It’s important to note that the updated versions provide settings to reduce the issues rather than eliminate them. Therefore, proper configuration changes are essential.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.