CVE-2025-31698

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-31698
ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.  This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8 Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
History

01 Jul 2025, 20:14

Type Values Removed Values Added
References () https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8 - () https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8 - Mailing List, Vendor Advisory
First Time Apache
Apache traffic Server
CPE cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*

20 Jun 2025, 14:15

Type Values Removed Values Added
Summary
  • (es) La ACL configurada en ip_allow.config o remap.config no utiliza las direcciones IP proporcionadas por el protocolo PROXY. Los usuarios pueden usar una nueva configuración (proxy.config.acl.subjects) para elegir las direcciones IP que se usarán para la ACL si Apache Traffic Server está configurado para aceptar el protocolo PROXY. Este problema afecta a las versiones undefined: de la 10.0.0 a la 10.0.6 y de la 9.0.0 a la 9.2.10. Se recomienda actualizar a la versión 9.2.11 o 10.0.6, que soluciona el problema.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

19 Jun 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-19 10:15

Updated : 2025-07-01 20:14

NVD link : CVE-2025-31698

Mitre link : CVE-2025-31698

CVE.ORG link : CVE-2025-31698

JSON object : View

Products Affected

apache

  • traffic_server
CWE
CWE-284

Improper Access Control