Volerion logoVolerion
Volerion logoVolerion

Apache Traffic Server ESI Plugin Memory Exhaustion Vulnerability Leading to Remote Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in the Apache Traffic Server ESI plugin, versions 10.0.0 prior to 10.0.5 and 9.0.0 prior to 9.2.10. The vulnerability arises from the absence of a maximum inclusion depth limit, allowing for excessive memory consumption if malicious instructions are inserted. Users can upgrade to version 9.2.11 or 10.0.6, which addresses this issue, and are advised to configure the new maximum inclusion depth setting to mitigate potential memory exhaustion.

Impact

Exploitation of this vulnerability leads to excessive memory consumption, causing a remote denial-of-service condition.

Remediation

Users of Apache Traffic Server 9.x should upgrade to 9.2.11 or later, while 10.x users should upgrade to 10.0.6 or later. After upgrading, users can configure the ESI plugin's maximum inclusion depth to prevent infinite inclusion, with the default value set to 3.

Added: Jun 19, 2025, 10:20 AM
Updated: Jun 19, 2025, 10:20 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
7.6
remediation
8.3
relevance
0.2
threat
0.1
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.