VYPR
Unrated severityNVD Advisory· Published Jul 26, 2024· Updated Nov 3, 2025

Apache Traffic Server: Incomplete field name check allows request smuggling

CVE-2023-38522

Description

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Affected products

2
  • Apache/Traffic Serverllm-fuzzy2 versions
    8.0.0-8.1.10, 9.0.0-9.2.4+ 1 more
    • (no CPE)range: 8.0.0-8.1.10, 9.0.0-9.2.4
    • (no CPE)range: 8.0.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.