Analysis Summary

A critical remote Denial-of-Service (DoS) vulnerability, tracked as CVE-2025-49763, has been discovered in Apache Traffic Server, specifically within its Edge Side Includes (ESI) plugin. The flaw allows unauthenticated remote attackers to exhaust server memory by sending specially crafted HTTP/HTTPS requests that exploit insufficient depth controls in the ESI inclusion mechanism. This makes the server unresponsive or crashes, denying access to legitimate users, posing a major threat, particularly in high-traffic environments where ESI is commonly used to optimize dynamic content delivery.

This vulnerability affects Apache Traffic Server versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5. To exploit the flaw, the attacker must only have network access to the server with the ESI plugin enabled, making this a low-barrier attack. It carries a CVSS score of (High), underscoring the severity of the threat. The Apache Software Foundation has acknowledged the issue and confirmed all installations within the affected versions are vulnerable. Additionally, a related but less-documented Access Control List (ACL) issue was identified concurrently, adding complexity to mitigation efforts and elevating the overall risk profile for impacted organizations.

To address the vulnerability, Apache has released version 9.2.11 for the 9.x series and 10.0.6 for the 10.x series. These updates do not fully eliminate the vulnerability but provide mitigation options through new configuration settings. Specifically, a new parameter, max-inclusion-depth, is introduced with a default value of 3, which limits how deeply ESI includes can nest. This setting prevents recursive or infinite ESI inclusion chains that lead to memory exhaustion, but requires administrators to manually configure it according to their environment and usage patterns.

The Apache Software Foundation urges users to evaluate their ESI plugin use and apply both the software updates and the new configuration settings immediately. This includes tuning the max-inclusion-depth value as part of broader security hardening procedures. Given the remote, unauthenticated nature of the exploit and the impact on service availability, timely mitigation is essential to prevent potential exploitation in production systems.

Impact

• Denial of Service
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-49763

Affected Vendors

Remediation

• Upgrade Apache Traffic Server to version 9.2.11 or later for 9.x and 10.0.6 or later for 10.x.
• Configure the new max-inclusion-depth setting, which is set to 3 by default, and adjust it based on your specific usage needs to prevent recursive or excessive ESI includes.
• Disable the ESI plugin if it is not required in your environment.
• Review and harden Access Control List configurations to reduce exposure, applying stricter access controls wherever possible.
• Restrict network access to Apache Traffic Server by limiting access to trusted IP ranges or internal networks.
• Monitor system performance by setting up alerts for unusual memory usage or crashes that may indicate exploitation attempts.
• Conduct regular security reviews to reassess plugin usage and configuration settings for evolving threats.