CVE-2024-35296 – Apache Traffic Server versions 8.0.0-8.1.10 and... (How to Fix)

Q: What is the severity of CVE-2024-35296?

CVE-2024-35296 has a CVSS score of 8.2 (HIGH). Apache Traffic Server versions 8.0.0-8.1.10 and 9.0.0-9.2.4 have a vulnerability where specially crafted Accept-Encoding headers can bypass cache lookups, forcing requests to be forwarded to origin servers. This affects all users running vulnerable versions of Apache Traffic Server as a reverse proxy or caching server. The issue allows potential denial of service and increased origin server load.

📋 TL;DR

Apache Traffic Server versions 8.0.0-8.1.10 and 9.0.0-9.2.4 have a vulnerability where specially crafted Accept-Encoding headers can bypass cache lookups, forcing requests to be forwarded to origin servers. This affects all users running vulnerable versions of Apache Traffic Server as a reverse proxy or caching server. The issue allows potential denial of service and increased origin server load.

💻 Affected Systems

Products:

Apache Traffic Server

Versions: 8.0.0 through 8.1.10, 9.0.0 through 9.2.4

Operating Systems: All operating systems running Apache Traffic Server

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using vulnerable versions are affected when processing HTTP requests with Accept-Encoding headers.

📦 What is this software?

Traffic Server by Apache

View all CVEs affecting Traffic Server →

Traffic Server by Apache

View all CVEs affecting Traffic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could cause complete cache bypass, overwhelming origin servers with repeated requests leading to denial of service and increased operational costs.

🟠

Likely Case

Increased origin server load and degraded performance due to cache misses, potentially leading to service degradation.

🟢

If Mitigated

Minimal impact with proper rate limiting and origin server capacity planning, though cache efficiency would still be reduced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with malformed Accept-Encoding headers, which is trivial to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.11 or 9.2.5

Vendor Advisory: https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0

Restart Required: Yes

Instructions:

1. Download Apache Traffic Server 8.1.11 or 9.2.5 from official sources. 2. Stop the Traffic Server service. 3. Install the updated version. 4. Restart the Traffic Server service. 5. Verify the version is updated.

🔧 Temporary Workarounds

Header Validation Filter

all

Implement custom header validation to reject malformed Accept-Encoding headers before they reach Traffic Server.

# Configure web application firewall or reverse proxy to filter invalid Accept-Encoding headers
# Example regex pattern for validation: ^(gzip|deflate|br|identity|\*)(?:\s*,\s*(gzip|deflate|br|identity|\*))*$

🧯 If You Can't Patch

Implement rate limiting on origin servers to prevent overload from cache bypass attacks.
Deploy a web application firewall (WAF) in front of Traffic Server to filter malicious Accept-Encoding headers.

🔍 How to Verify

Check if Vulnerable:

Check the Traffic Server version using 'traffic_server -V' and compare against affected versions.

Check Version:

traffic_server -V

Verify Fix Applied:

After patching, verify version is 8.1.11 or higher for 8.x branch, or 9.2.5 or higher for 9.x branch.

📡 Detection & Monitoring

Log Indicators:

Unusual increase in cache misses
Spike in requests to origin servers
HTTP requests with malformed Accept-Encoding headers in access logs

Network Indicators:

Increased traffic to origin servers
Repeated requests for same resources with varying Accept-Encoding headers

SIEM Query:

source="traffic_server" AND ("cache miss" OR "forwarding") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-35296

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-20

Published: July 26, 2024

Last Updated: November 3, 2025

🔗 References

https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 Mailing List,Vendor Advisory
https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 Mailing List,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00040.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35296, you might also want to check these: