Found 3 bookmarks
Custom sorting
CVE-2025-49763 - Remote DoS via Memory Exhaustion in Apache Traffic Server via ESI Plugin
CVE-2025-49763 - Remote DoS via Memory Exhaustion in Apache Traffic Server via ESI Plugin
Imperva’s Offensive Security Team discovered CVE-2025-49763, a high-severity vulnerability (CVSS v3.1 estimated score: 7.5) in Apache Traffic Server’s ESI plugin that enables unauthenticated attackers to exhaust memory and potentially crash proxy nodes. Given ATS’s role in global content delivery[1], even a single node failure can black-hole thousands of sessions. Organizations should urgently upgrade to version 9.2.11 or 10.0.6 and enforce the new inclusion-depth safeguard. Why reverse‑proxy servers matter Every web request you make today almost certainly travels through one or more reverse‑proxy caches before it reaches the origin application. These proxies: Off‑load origin servers by caching hot objects Collapse duplicate requests during traffic spikes Terminate TLS and enforce security controls And sit “at the edge”, close to end‑users, to shave hundreds of milliseconds off page‑load time. Because they concentrate so much traffic, a single reverse‑proxy node going offline can black‑hole thousands of concurrent sessions; at scale, an outage ripples outward like a dropped stone in water, slowing CDNs, SaaS platforms, media portals and on‑line banks alike. Denial‑of‑service (DoS) conditions on these boxes are therefore high‑impact events, not a mere nuisance. ... CVE-2025-49763 is a newly disclosed flaw in Apache Traffic Server’s Edge-Side Includes plugin that allows an unauthenticated attacker to embed or request endlessly nested %3Cesi:include%3E tags, forcing the proxy to consume all available memory until it is out-of-memory-killed and service is lost. This vulnerability can be exploited via two different ways: A threat actor could exploit an Edge Side Include injection and recursively inject the same page over and over again. exploitation via esi injection A threat actor could also host a malicious server next to a target, behind a vulnerable traffic server proxy and take down the proxy by triggering the ESI request avalanche. (see Fig 2). exploitation via malicious error This results in a full denial of service on edge proxy nodes, triggered remotely without requiring authentication.
#imperva#EN#2025#vulnerability#CVE-2025-49763#analysis#Apache#Traffic-Server
·imperva.com·
CVE-2025-49763 - Remote DoS via Memory Exhaustion in Apache Traffic Server via ESI Plugin
ModSecurity Vulnerability Exposes Millions of Web Servers to Severe DoS Condition
ModSecurity Vulnerability Exposes Millions of Web Servers to Severe DoS Condition
A critical vulnerability in ModSecurity’s Apache module has been disclosed, potentially exposing millions of web servers worldwide to denial-of-service attacks. The flaw, tracked as CVE-2025-47947 and assigned a CVSS score of 7.5, affects the popular open-source web application firewall’s handling of JSON payloads under specific conditions. Security researchers have confirmed that attackers can exploit this vulnerability with minimal effort, requiring only a single crafted request to consume excessive server memory and potentially crash targeted systems. ModSecurity DoS Flaw (CVE-2025-47947) The vulnerability was initially reported in March 2025 by Simon Studer from Netnea on behalf of Swiss Post, though it took several months for developers to successfully reproduce and understand the root cause. CVE-2025-47947 specifically affects mod_security2, the Apache module version of ModSecurity, while the newer libmodsecurity3 implementation remains unaffected. The flaw emerges when two specific conditions are met simultaneously: the incoming payload must have a Content-Type of application/json, and there must be at least one active rule utilizing the sanitiseMatchedBytes action.
#cybersecuritynews#EN#2025#CVE-2025-47947#ModSecurity#vulnerability#Apache#DoS#Condition
·cybersecuritynews.com·
ModSecurity Vulnerability Exposes Millions of Web Servers to Severe DoS Condition
7 December 2023 - Apache Struts version 6.3.0.2 General Availability
7 December 2023 - Apache Struts version 6.3.0.2 General Availability
7 December 2023 - Apache Struts version 6.3.0.2 General Availability The Apache Struts group is pleased to announce that Apache Struts version 6.3.0.2 is available as a “General Availability” release. The GA designation is our highest quality grade. The Apache Struts is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework has been designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This version addresses a potential security vulnerability identified as CVE-2023-50164 and described in S2-066 - please read the mentioned security bulletins for more details. This is a drop-in replacement and upgrade should be straightforward.
#apache.org#EN#2023#CVE-2023-50164#Apache#Struts#annonce#Vulnerability
·struts.apache.org·
7 December 2023 - Apache Struts version 6.3.0.2 General Availability