CVE-2025-31698
📋 TL;DR
Apache Traffic Server versions 9.0.0-9.2.10 and 10.0.0-10.0.6 have an ACL bypass vulnerability when using PROXY protocol. The access control lists in ip_allow.config or remap.config fail to properly use IP addresses provided by PROXY protocol, potentially allowing unauthorized access. This affects all users running vulnerable versions with PROXY protocol enabled.
💻 Affected Systems
- Apache Traffic Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass IP-based access controls entirely, gaining unauthorized access to protected resources, potentially leading to data exposure or service compromise.
Likely Case
Unauthorized clients could access resources that should be restricted by IP-based ACLs, leading to potential data leakage or service abuse.
If Mitigated
With proper network segmentation and additional authentication layers, impact would be limited to potential ACL bypass without further compromise.
🎯 Exploit Status
Exploitation requires sending PROXY protocol headers to bypass IP-based ACLs
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.11 or 10.0.6
Vendor Advisory: https://lists.apache.org/thread/15t32nxbypqg1m2smp640vjx89o6v5f8
Restart Required: Yes
Instructions:
1. Download Apache Traffic Server 9.2.11 or 10.0.6 from official sources. 2. Stop Traffic Server service. 3. Backup configuration files. 4. Install new version. 5. Restart Traffic Server service.
🔧 Temporary Workarounds
Configure proxy.config.acl.subjects
allSet the proxy.config.acl.subjects parameter to specify which IP addresses to use for ACL evaluation when PROXY protocol is enabled
Add 'proxy.config.acl.subjects' to records.config with appropriate value
Disable PROXY Protocol
allIf PROXY protocol is not required, disable it to eliminate the vulnerability
Remove or comment out PROXY protocol configuration in records.config
🧯 If You Can't Patch
- Implement network-level IP filtering before traffic reaches Traffic Server
- Add application-layer authentication to complement IP-based ACLs
🔍 How to Verify
Check if Vulnerable:
Check Traffic Server version and verify if PROXY protocol is enabled with ACLs configuredCheck Version:
traffic_server -VVerify Fix Applied:
Verify version is 9.2.11+ or 10.0.6+ and test ACL functionality with PROXY protocol📡 Detection & Monitoring
Log Indicators:
- Unexpected successful connections from IPs not in ACL
- PROXY protocol header parsing errors
Network Indicators:
- Traffic bypassing expected IP restrictions
- PROXY protocol usage from unexpected sources
SIEM Query:
source="traffic_server" AND (event="connection_allowed" OR event="acl_denied") | stats count by src_ip