A critical security vulnerability in Apache Traffic Server (ATS) has been discovered. By exploiting how the server processes chunked messages, attackers can perform request smuggling attacks.
The vulnerability, tracked as CVE-2024-53868, affects multiple versions of this high-performance HTTP proxy server and requires system administrators’ immediate attention.
According to the advisory, the vulnerability stems from a flaw in how Apache Traffic Server handles HTTP chunked transfer encoding—a method that allows data to be sent in a series of chunks rather than all at once.
When processing malformed chunked messages, ATS fails to properly validate the message format, creating a security gap that malicious actors can exploit.
Specifically, the issue involves how ATS handles malformed chunked message bodies. Based on findings from related GitHub issues, ATS improperly accepts and forwards requests containing invalid formatting elements, such as carriage returns within chunk-ext whitespace, where only spaces and tabs should be permitted.
Apache Traffic Server Vulnerability
Additionally, ATS accepts bare Line Feed (LF) characters as line endings within chunked message bodies instead of requiring the standard Carriage Return + Line Feed (CRLF) sequence.
For example, when a specially crafted HTTP request using the Transfer-Encoding: chunked header with intentionally malformed chunk formatting is sent to an ATS server, the server processes it in a way that differs from how backend servers might interpret the same request.
This inconsistency creates the opportunity for request smuggling.
The above-simplified example demonstrates how an improper line ending (bare LF represented as n) in a chunked message might be accepted by ATS and forwarded to backend servers without proper normalization.
The summary of the vulnerability is given below:
Risk FactorsDetailsAffected ProductsApache Traffic Server (ATS) versions 9.2.0 to 9.2.9 and 10.0.0 to 10.0.4ImpactCache poisoning, Bypassing security controls, and Session hijackingExploit PrerequisitesA specially crafted HTTP request using chunked transfer encodingCVSS 3.1 Score6.5 (Medium)
Security Implications
This request smuggling vulnerability poses several serious risks:
Bypassing security controls: Attackers might circumvent web application firewalls or access control lists designed to protect backend servers.
Cache poisoning: By manipulating how requests are interpreted, attackers could poison the server cache, affecting responses sent to legitimate users.
Session hijacking: In certain scenarios, attackers might intercept or manipulate user sessions, potentially gaining unauthorized access to sensitive accounts.
Data exposure: The vulnerability could lead to exposure of sensitive information due to inconsistent request handling.
The vulnerability has been assigned a CVSS base score of 6.5, indicating a medium severity level.
The following Apache Traffic Server versions are vulnerable to CVE-2024-53868:
ATS 9.0.0 through 9.2.9
ATS 10.0.0 through 10.0.4
Mitigation Steps
Organizations using Apache Traffic Server should implement the following mitigation measures immediately:
Upgrade to patched versions:
For 9.x branch users: Upgrade to version 9.2.10 or later
For 10.x branch users: Upgrade to version 10.0.5 or later
Review and restrict network access to Apache Traffic Server instances
Monitor traffic for unusual HTTP request patterns
Implement additional network-level security controls
Conduct thorough security assessments of existing deployments
The Apache Software Foundation released these security updates on April 2, 2025, with commits addressing the vulnerability now available in the project’s repository.
Given the widespread use of Apache Traffic Server in content delivery networks (CDNs) and high-traffic websites, administrators are urged to prioritize these updates to protect their infrastructure from potential exploitation.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try 50 Request for Free
