CVE-2024-50305 – A vulnerability in Apache Traffic Server allows... (How to Fix)

Q: What is the severity of CVE-2024-50305?

CVE-2024-50305 has a CVSS score of 7.5 (HIGH). A vulnerability in Apache Traffic Server allows a specially crafted Host header to cause a denial-of-service crash. This affects Apache Traffic Server versions 9.2.0 through 9.2.5 on some platforms, potentially disrupting web proxy and caching services.

📋 TL;DR

A vulnerability in Apache Traffic Server allows a specially crafted Host header to cause a denial-of-service crash. This affects Apache Traffic Server versions 9.2.0 through 9.2.5 on some platforms, potentially disrupting web proxy and caching services.

💻 Affected Systems

Products:

Apache Traffic Server

Versions: 9.2.0 through 9.2.5

Operating Systems: Platform-specific (some platforms affected)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects some platforms - the advisory mentions 'on some platforms' but doesn't specify which ones.

📦 What is this software?

Traffic Server by Apache

View all CVEs affecting Traffic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of Apache Traffic Server, disrupting all web proxy and caching functionality for dependent applications.

🟠

Likely Case

Intermittent service crashes leading to availability issues and potential data loss for in-flight requests.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing rapid detection and restart.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a valid Host header, which is trivial for any HTTP client.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.6 or 10.0.2

Vendor Advisory: https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y

Restart Required: Yes

Instructions:

1. Download Apache Traffic Server 9.2.6 or 10.0.2 from official sources. 2. Stop the Traffic Server service. 3. Backup configuration files. 4. Install the new version. 5. Restore configurations if needed. 6. Start the service.

🔧 Temporary Workarounds

Host Header Validation

all

Implement a reverse proxy or WAF to validate and sanitize Host headers before they reach Traffic Server

Rate Limiting

all

Implement rate limiting on HTTP requests to reduce impact of potential DoS attacks

🧯 If You Can't Patch

Implement network segmentation to restrict access to Traffic Server from untrusted networks
Deploy monitoring and automated restart scripts to minimize downtime from crashes

🔍 How to Verify

Check if Vulnerable:

Check Traffic Server version with 'traffic_server -v' or 'traffic_manager -v' and verify if between 9.2.0-9.2.5

Check Version:

traffic_server -v

Verify Fix Applied:

After upgrade, verify version is 9.2.6 or higher with 'traffic_server -v'

📡 Detection & Monitoring

Log Indicators:

Unexpected process termination
Segmentation fault errors in logs
Service restart patterns

Network Indicators:

HTTP requests with unusual Host headers followed by service unavailability

SIEM Query:

source="traffic_server" AND ("segmentation fault" OR "crash" OR "terminated unexpectedly")

📊 Metadata

CVE ID: CVE-2024-50305

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: November 14, 2024

Last Updated: June 4, 2025

🔗 References

https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50305, you might also want to check these: