VYPR
Unrated severityNVD Advisory· Published Jul 26, 2024· Updated Nov 3, 2025

Apache Traffic Server: Incomplete check for chunked trailer section allows request smuggling

CVE-2024-35161

Description

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Affected products

2
  • Apache/Traffic Serverllm-fuzzy2 versions
    >=8.0.0 <=8.1.10 || >=9.0.0 <=9.2.4+ 1 more
    • (no CPE)range: >=8.0.0 <=8.1.10 || >=9.0.0 <=9.2.4
    • (no CPE)range: 8.0.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.