{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-58136", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-08-25T21:36:46.557Z", "datePublished": "2026-04-02T15:54:47.013Z", "dateUpdated": "2026-04-02T18:13:21.125Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Traffic Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "10.1.1", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.2.12", "status": "affected", "version": "9.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A bug in POST request handling causes a crash under a certain condition.</p><p>This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.</p><p>Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.</p>A workaround for older versions is to set&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">proxy.config.http.request_buffer_enabled to 0 (the default value is 0).&nbsp;</span><br>"}], "value": "A bug in POST request handling causes a crash under a certain condition.\n\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.\n\nUsers are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.\n\nA workaround for older versions is to set\u00a0proxy.config.http.request_buffer_enabled to 0 (the default value is 0)."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-02T15:54:47.013Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Traffic Server: A simple legitimate POST request causes a crash", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:12:52.546152Z", "id": "CVE-2025-58136", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:13:21.125Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "361CCF7A-CB22-4074-A902-779476856482", "versionEndExcluding": "9.2.13", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA23F0DC-E368-4327-87A1-A0DCD8553AFF", "versionEndExcluding": "10.1.2", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A bug in POST request handling causes a crash under a certain condition.\n\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.\n\nUsers are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.\n\nA workaround for older versions is to set\u00a0proxy.config.http.request_buffer_enabled to 0 (the default value is 0)."}], "id": "CVE-2025-58136", "lastModified": "2026-04-06T16:06:11.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-02T17:16:20.933", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,10.1.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.2.12]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Traffic Server", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "traffic_server", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-06T19:55:33.090570+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Traffic Server to at least version 10.1.2 or 9.2.13.", "If upgrading is not immediately possible, set proxy.config.http.request_buffer_enabled to 0 to prevent the crash.", "Verify that the server no longer crashes after applying the patch or configuration change.", "Monitor system logs for any remaining crash events and apply future vendor releases promptly."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Apache Traffic Server versions 10.0.0 through 10.1.1 and 9.0.0 through 9.2.12 are vulnerable. The issue is resolved in 10.1.2 and 9.2.13. For older releases the recommended mitigation is to set proxy.config.http.request_buffer_enabled to 0, the default value, to prevent the crash.", "description_and_impact": "A bug in Apache Traffic Server\u2019s handling of POST requests can cause the server to terminate when receiving a legitimate request, resulting in an availability outage. The flaw involves improper release of a reference counted resource and is identified as CWE\u2011670. The crash occurs under a specific internal condition triggered by a normal HTTP POST operation.", "risk_and_exploitability": "The CVSS score of 7.5 reflects a high severity. The EPSS score of less than 1% indicates the likelihood of exploitation is currently low and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network access capable of sending a POST request; this inference is derived from the description stating that a legitimate POST request can trigger the crash."}}}}, "created": "2026-04-03T07:36:17.897654+00:00", "updated": "2026-04-07T07:56:08.901137+00:00", "vendors": ["apache", "apache$PRODUCT$traffic_server"]}