CVE-2024-53868 – Apache Traffic Server is vulnerable to HTTP req... (How to Fix)

Q: What is the severity of CVE-2024-53868?

CVE-2024-53868 has a CVSS score of 7.5 (HIGH). Apache Traffic Server is vulnerable to HTTP request smuggling when processing malformed chunked messages. This allows attackers to bypass security controls, poison caches, or hijack user sessions. Affected users are those running Apache Traffic Server versions 9.2.0-9.2.9 or 10.0.0-10.0.4.

📋 TL;DR

Apache Traffic Server is vulnerable to HTTP request smuggling when processing malformed chunked messages. This allows attackers to bypass security controls, poison caches, or hijack user sessions. Affected users are those running Apache Traffic Server versions 9.2.0-9.2.9 or 10.0.0-10.0.4.

💻 Affected Systems

Products:

Apache Traffic Server

Versions: 9.2.0 through 9.2.9, 10.0.0 through 10.0.4

Operating Systems: All operating systems where Apache Traffic Server runs

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using affected versions are vulnerable when processing HTTP/1.1 chunked messages.

📦 What is this software?

Traffic Server by Apache

View all CVEs affecting Traffic Server →

Traffic Server by Apache

View all CVEs affecting Traffic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could poison caches, bypass authentication, hijack user sessions, or perform web cache poisoning attacks leading to credential theft or malware distribution.

🟠

Likely Case

Cache poisoning leading to users receiving malicious content, session hijacking, or bypassing security filters and access controls.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF filtering, and monitoring are in place, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malformed HTTP chunked messages but does not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.10 or 10.0.5

Vendor Advisory: https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9

Restart Required: Yes

Instructions:

1. Download Apache Traffic Server 9.2.10 or 10.0.5 from the official website. 2. Stop the Traffic Server service. 3. Backup configuration files. 4. Install the new version. 5. Restore configurations. 6. Start the service.

🔧 Temporary Workarounds

HTTP Request Filtering

all

Configure WAF or reverse proxy to filter malformed chunked HTTP requests.

🧯 If You Can't Patch

Implement strict WAF rules to block malformed chunked HTTP requests.
Monitor logs for unusual HTTP request patterns and implement network segmentation.

🔍 How to Verify

Check if Vulnerable:

Check Apache Traffic Server version using 'traffic_server -V' and compare against affected ranges.

Check Version:

traffic_server -V

Verify Fix Applied:

After patching, verify version is 9.2.10 or 10.0.5+ and test with known malformed chunked requests.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP request patterns, malformed chunked encoding in logs, cache poisoning attempts.

Network Indicators:

HTTP requests with malformed Transfer-Encoding: chunked headers, unusual request smuggling patterns.

SIEM Query:

Search for HTTP requests containing 'Transfer-Encoding: chunked' with malformed chunk sizes or unusual patterns.

📊 Metadata

CVE ID: CVE-2024-53868

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-444

EPSS Score: 1.77% exploit probability (82.3th percentile)

Published: April 3, 2025

Last Updated: April 29, 2025

🔗 References

https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/02/4 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53868, you might also want to check these: