Every CVE whose affected-product data names Apache Traffic Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (82)
CVE-2014-3525 — CVSS 10.0 (critical): Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and…
CVE-2014-3624 — CVSS 9.8 (critical): Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel…
CVE-2021-35474 — CVSS 9.8 (critical): Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to…
CVE-2015-3249 — CVSS 9.8 (critical): The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service…
CVE-2019-17559 — CVSS 9.8 (critical): There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme…
CVE-2019-17565 — CVSS 9.8 (critical): There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked…
CVE-2015-5206 — CVSS 9.8 (critical): Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and…
CVE-2015-5168 — CVSS 9.8 (critical): Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack…
CVE-2020-1944 — CVSS 9.8 (critical): There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and…
CVE-2021-43082 — CVSS 9.8 (critical): Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server…
CVE-2024-50306 — CVSS 9.1 (critical): Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from…
CVE-2017-5660 — CVSS 8.6 (high): There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can…
CVE-2024-35296 — CVSS 8.2 (high): Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects…
CVE-2021-38161 — CVSS 8.1 (high): Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue…
CVE-2021-44759 — CVSS 8.1 (high): Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle…
CVE-2020-17509 — CVSS 7.5 (high): ATS negative cache option is vulnerable to a cache poisoning attack. If you have this option enabled, please upgrade or disable this…
CVE-2020-9481 — CVSS 7.5 (high): Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.
CVE-2020-9494 — CVSS 7.5 (high): Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can…
CVE-2021-27577 — CVSS 7.5 (high): Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache…
CVE-2021-27737 — CVSS 7.5 (high): Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
CVE-2021-32565 — CVSS 7.5 (high): Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache…
CVE-2021-32566 — CVSS 7.5 (high): Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache…
CVE-2021-32567 — CVSS 7.5 (high): Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache…
CVE-2025-65114 — CVSS 7.5 (high): Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.0.0…
CVE-2017-5659 — CVSS 7.5 (high): Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding.
CVE-2017-7671 — CVSS 7.5 (high): There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshake. This…
CVE-2018-11783 — CVSS 7.5 (high): sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the…
CVE-2018-1318 — CVSS 7.5 (high): Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache…
CVE-2018-8022 — CVSS 7.5 (high): A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this…
CVE-2019-10079 — CVSS 7.5 (high): Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of…
CVE-2019-9511 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a…
CVE-2019-9512 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings…
CVE-2019-9513 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple…
CVE-2019-9514 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of…
CVE-2019-9515 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2019-9517 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The…
CVE-2019-9518 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a…
CVE-2020-17508 — CVSS 7.5 (high): The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions…
CVE-2023-30631 — CVSS 7.5 (high): Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option…
CVE-2023-33933 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue…
CVE-2023-38522 — CVSS 7.5 (high): Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This…
CVE-2023-39456 — CVSS 7.5 (high): Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server…
CVE-2023-41752 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server…
CVE-2024-31309 — CVSS 7.5 (high): HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9…
CVE-2024-35161 — CVSS 7.5 (high): Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may…
CVE-2024-38479 — CVSS 7.5 (high): Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from…
CVE-2024-50305 — CVSS 7.5 (high): Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0…
CVE-2024-53868 — CVSS 7.5 (high): Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0…
CVE-2025-31698 — CVSS 7.5 (high): ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new…
CVE-2025-49763 — CVSS 7.5 (high): ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are…
CVE-2025-58136 — CVSS 7.5 (high): A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through…
CVE-2021-37147 — CVSS 7.5 (high): Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue…
CVE-2021-37148 — CVSS 7.5 (high): Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue…
CVE-2021-37149 — CVSS 7.5 (high): Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue…
CVE-2021-37150 — CVSS 7.5 (high): Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This…
CVE-2021-41585 — CVSS 7.5 (high): Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop…
CVE-2021-44040 — CVSS 7.5 (high): Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This…
CVE-2022-25763 — CVSS 7.5 (high): Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache…
CVE-2022-28129 — CVSS 7.5 (high): Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers…
CVE-2022-31778 — CVSS 7.5 (high): Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the…
CVE-2022-31779 — CVSS 7.5 (high): Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This…
CVE-2022-31780 — CVSS 7.5 (high): Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This…
CVE-2022-32749 — CVSS 7.5 (high): Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash…
CVE-2022-47184 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue…
CVE-2022-47185 — CVSS 7.5 (high): Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache…
CVE-2018-8004 — CVSS 6.5 (medium): There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server…
CVE-2018-9481 — CVSS 6.5 (medium): In bta_hd_set_report_act of bta_hd_act.cc, there is a possible out-of-bounds read due to an integer overflow. This could lead to remote…
CVE-2019-9516 — CVSS 6.5 (medium): Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of…
CVE-2024-38311 — CVSS 6.3 (medium): Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from…
CVE-2024-56196 — CVSS 6.3 (medium): Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3. Users…
CVE-2024-56195 — CVSS 6.3 (medium): Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from…
CVE-2022-40743 — CVSS 6.1 (medium): Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site…
CVE-2022-37392 — CVSS 5.3 (medium): Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects…
CVE-2018-8040 — CVSS 5.3 (medium): Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This…
CVE-2018-8005 — CVSS 5.3 (medium): When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause…
CVE-2012-0256 — CVSS 5.0 (medium): Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3 does not properly allocate heap memory, which allows remote…
CVE-2014-10022 — CVSS 5.0 (medium): Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer…
CVE-2024-56202 — CVSS 4.3 (medium): Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8…
CVE-2010-2952 — CVSS 4.3 (medium): Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and…