Traffic Server
Sign in to watchby Apache
CVEs (12)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-3249 | Cri | 0.64 | 9.8 | 0.04 | Oct 30, 2017 | The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function. | |
| CVE-2014-3624 | Cri | 0.64 | 9.8 | 0.00 | Oct 30, 2017 | Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. | |
| CVE-2015-5206 | Cri | 0.64 | 9.8 | 0.02 | Sep 13, 2017 | Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5168. | |
| CVE-2015-5168 | Cri | 0.64 | 9.8 | 0.02 | Sep 13, 2017 | Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5206. | |
| CVE-2025-65114 | Hig | 0.49 | 7.5 | 0.00 | Apr 2, 2026 | Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue. | |
| CVE-2025-58136 | Hig | 0.49 | 7.5 | 0.00 | Apr 2, 2026 | A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue. A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0). | |
| CVE-2017-5659 | Hig | 0.49 | 7.5 | 0.02 | Apr 17, 2017 | Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding. | |
| CVE-2016-5396 | Hig | 0.49 | 7.5 | 0.02 | Apr 17, 2017 | Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack. | |
| CVE-2014-10022 | 0.00 | — | 0.03 | Jan 13, 2015 | Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing. | ||
| CVE-2014-3525 | 0.00 | — | 0.01 | Aug 22, 2014 | Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks. | ||
| CVE-2012-0256 | 0.00 | — | 0.02 | Mar 26, 2012 | Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3 does not properly allocate heap memory, which allows remote attackers to cause a denial of service (daemon crash) via a long HTTP Host header. | ||
| CVE-2010-2952 | 0.00 | — | 0.01 | Sep 13, 2010 | Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and does not properly use DNS query fields to validate responses, which makes it easier for man-in-the-middle attackers to poison the internal DNS cache via a crafted response. |