CVE-2025-65114

>= 9.0.0 and < 9.2.13

Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: fro

7.5HIGH

CVE-2025-58136

>= 9.0.0 and < 9.2.13

A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 th

7.5HIGH

CVE-2025-49763

>= 9.0.0 and < 9.2.11

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instruct

7.5HIGH

CVE-2025-31698

>= 9.0.0 and < 9.2.11

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a

7.5HIGH

CVE-2024-53868

>= 9.0.0 and < 9.2.10

Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server:

7.5HIGH

CVE-2024-56196

>= 10.0.0 and < 10.0.4

Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.

6.3MEDIUM

CVE-2024-56195

>= 9.0.0 and < 9.2.9

Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.

6.3MEDIUM

CVE-2024-38311

>= 9.0.0 and < 9.2.9

Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.

6.3MEDIUM

CVE-2024-56202

>= 9.0.0 and < 9.2.9

Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through

4.3MEDIUM

CVE-2018-9481

>= 6.0.0 and <= 6.2.3

In bta_hd_set_report_act of bta_hd_act.cc, there is a possible out-of-bounds read due to an integer overflow. This could lead to r

6.5MEDIUM

CVE-2024-50306

>= 10.0.0 and < 10.0.2

Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server:

9.1CRITICAL

CVE-2024-50305

>= 9.0.0 and < 9.2.6

Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: fro

7.5HIGH

CVE-2024-38479

>= 8.0.0 and <= 8.1.11

Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.

7.5HIGH

CVE-2024-35296

>= 8.0.0 and < 8.1.11

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue aff

8.2HIGH

CVE-2024-35161

>= 8.0.0 and < 8.1.11

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smugglin

7.5HIGH

CVE-2023-38522

>= 8.0.0 and < 8.1.11

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin serve

7.5HIGH

CVE-2024-31309

>= 8.0.0 and < 8.1.10

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 thro

7.5HIGH

CVE-2023-41752

>= 8.0.0 and < 8.1.9

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffi

7.5HIGH

CVE-2023-39456

>= 9.0.0 and < 9.2.3

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Se

7.5HIGH

CVE-2023-44487

>= 8.0.0 and < 8.1.9

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q

7.5HIGH

CVE-2023-33934

>= 8.0.0 and <= 8.1.7

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Serv

9.1CRITICAL

CVE-2022-47185

>= 8.0.0 and <= 8.1.7

Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects

7.5HIGH

CVE-2023-33933

>= 8.0.0 and < 8.1.7

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This

7.5HIGH

CVE-2023-30631

>= 8.0.0 and < 8.1.7

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.con

7.5HIGH

CVE-2022-47184

>= 8.0.0 and < 8.1.7

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This

7.5HIGH

CVE-2022-40743

>= 8.0.0 and <= 8.1.5

Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cros

6.1MEDIUM

CVE-2022-37392

>= 8.0.0 and < 8.1.6

Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue

5.3MEDIUM

CVE-2022-32749

>= 8.0.0 and < 8.1.6

Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker t

7.5HIGH

CVE-2022-31780

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests.

7.5HIGH

CVE-2022-31779

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests.

7.5HIGH

CVE-2022-31778

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to po

7.5HIGH

CVE-2022-28129

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid hea

7.5HIGH

CVE-2022-25763

>= 8.0.0 and < 8.1.5

Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle

7.5HIGH

CVE-2021-37150

>= 8.0.0 and <= 8.1.4

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources.

7.5HIGH

CVE-2021-44759

>= 8.0.0 and <= 8.1.0

Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the

8.1HIGH

CVE-2021-44040

>= 8.0.0 and <= 8.1.3

Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid reques

7.5HIGH

CVE-2021-43082

>= 8.0.0 and <= 8.1.2

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traff

9.8CRITICAL

CVE-2021-41585

>= 8.0.0 and <= 8.1.2

Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the se

7.5HIGH

CVE-2021-38161

>= 8.0.0 and <= 8.0.8

Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. Th

8.1HIGH

CVE-2021-37149

>= 8.0.0 and <= 8.1.2

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This is

7.5HIGH

CVE-2021-37148

>= 8.0.0 and <= 8.1.2

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This is

7.5HIGH

CVE-2021-37147

>= 8.0.0 and <= 8.1.2

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This is

7.5HIGH

CVE-2021-35474

>= 7.0.0 and <= 7.1.12

Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.

9.8CRITICAL

CVE-2021-32567

>= 7.0.0 and <= 7.1.12

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affect

7.5HIGH

CVE-2021-32566

>= 7.0.0 and <= 7.1.12

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affect

7.5HIGH

CVE-2021-32565

>= 7.0.0 and <= 7.1.12

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affec

7.5HIGH

CVE-2021-27577

>= 7.0.0 and <= 7.1.12

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affec

7.5HIGH

CVE-2021-27737

all versions

Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.

7.5HIGH

CVE-2020-17509

>= 6.0.0 and <= 6.2.3

ATS negative cache option is vulnerable to a cache poisoning attack. If you have this option enabled, please upgrade or disable th

7.5HIGH

CVE-2020-17508

>= 6.0.0 and <= 6.2.3

The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server vers

7.5HIGH

CVE-2020-9494

>= 6.0.0 and <= 6.2.3

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames

7.5HIGH

CVE-2020-9481

>= 6.0.0 and <= 6.2.3

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.

7.5HIGH

CVE-2020-1944

>= 6.0.0 and <= 6.2.3

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and T

9.8CRITICAL

CVE-2019-17565

>= 6.0.0 and <= 6.2.3

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and c

9.8CRITICAL

CVE-2019-17559

>= 6.0.0 and <= 6.2.3

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and s

9.8CRITICAL

CVE-2019-10079

< 7.1.7

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the nu

7.5HIGH

CVE-2019-9518

>= 6.0.0 and <= 6.2.3

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker se

7.5HIGH

CVE-2019-9517

>= 6.0.0 and <= 6.2.3

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. Th

7.5HIGH

CVE-2019-9516

>= 6.0.0 and <= 6.2.3

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stre

6.5MEDIUM

CVE-2019-9515

>= 6.0.0 and <= 6.2.3

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a s

7.5HIGH

CVE-2019-9514

>= 6.0.0 and <= 6.2.3

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a numb

7.5HIGH

CVE-2019-9513

>= 6.0.0 and <= 6.2.3

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates mul

7.5HIGH

CVE-2019-9512

>= 6.0.0 and <= 6.2.3

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continua

7.5HIGH

CVE-2019-9511

>= 6.0.0 and <= 6.2.3

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading

7.5HIGH

CVE-2018-11783

>= 6.0.0 and <= 6.0.3

sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of t

7.5HIGH

CVE-2018-8040

>= 6.0.0 and <= 6.2.2

Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow acces

5.3MEDIUM

CVE-2018-8022

>= 6.0.0 and <= 6.2.2

A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolv

7.5HIGH

CVE-2018-8005

>= 6.0.0 and <= 6.2.2

When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can ca

5.3MEDIUM

CVE-2018-8004

>= 6.0.0 and <= 6.2.2

There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic S

6.5MEDIUM

CVE-2018-1318

>= 6.0.0 and <= 6.2.2

Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apa

7.5HIGH

CVE-2017-7671

>= 5.2.0 and <= 5.3.2

There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshak

7.5HIGH

CVE-2017-5660

<= 6.2.0

There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding.

8.6HIGH

CVE-2015-3249

all versions

The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (

9.8CRITICAL

CVE-2014-3624

all versions

Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly t

9.8CRITICAL

CVE-2015-5206

all versions

Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact

9.8CRITICAL

CVE-2015-5168

all versions

Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and at

9.8CRITICAL

CVE-2017-5659

<= 6.2.0

Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding.

7.5HIGH

CVE-2016-5396

all versions

Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.

7.5HIGH

CVE-2014-10022

<= 5.1.1

Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to intern

CVE-2014-3525

all versions

Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact

CVE-2012-0256

all versions

Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3 does not properly allocate heap memory, which allows rem

CVE-2010-2952

<= 2.0.0

Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs

CVE-2002-1013

all versions

Buffer overflow in traffic_manager for Inktomi Traffic Server 4.0.18 through 5.2.2, Traffic Edge 1.1.2 and 1.5.0, and Media-IXT 3.