CVE-2025-49763

{"id": "CVE-2025-49763", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-06-19T10:15:21.887", "references": [{"url": "https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\n\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue."}, {"lang": "es", "value": "El complemento ESI no tiene l\u00edmite de profundidad m\u00e1xima de inclusi\u00f3n, lo que permite un consumo excesivo de memoria si se insertan instrucciones maliciosas. Los usuarios pueden usar una nueva configuraci\u00f3n del complemento (--max-inclusion-depth) para limitarlo. Este problema afecta a Apache Traffic Server: de la 10.0.0 a la 10.0.5 y de la 9.0.0 a la 9.2.10. Se recomienda actualizar a la versi\u00f3n 9.2.11 o 10.0.6, que soluciona el problema."}], "lastModified": "2025-07-01T20:15:05.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7AB2F8C0-3B8A-4C21-8358-4718FB3ECA5C", "versionEndExcluding": "9.2.11", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5AF96465-2A06-4EC2-832C-36A094908691", "versionEndExcluding": "10.0.6", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}