{"id":3052,"date":"2025-04-04T10:03:35","date_gmt":"2025-04-04T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/04\/apache-traffic-server-vulnerability-let-attackers-smuggle-requests\/"},"modified":"2025-04-04T10:03:35","modified_gmt":"2025-04-04T10:03:35","slug":"apache-traffic-server-vulnerability-let-attackers-smuggle-requests","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/04\/apache-traffic-server-vulnerability-let-attackers-smuggle-requests\/","title":{"rendered":"Apache Traffic Server Vulnerability Let Attackers Smuggle Requests"},"content":{"rendered":"

Apache Traffic Server Vulnerability Let Attackers Smuggle Requests
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical security vulnerability in Apache Traffic Server (ATS)<\/a> has been discovered. By exploiting how the server processes chunked messages, attackers can perform request smuggling attacks.\u00a0<\/p>\n

The vulnerability, tracked as CVE-2024-53868, affects multiple versions of this high-performance HTTP proxy server and requires system administrators\u2019 immediate attention.<\/p>\n

According to the advisory, the vulnerability stems from a flaw in how Apache Traffic Server handles HTTP chunked transfer encoding\u2014a method that allows data to be sent in a series of chunks rather than all at once.\u00a0<\/p>\n

When processing malformed chunked messages, ATS fails to properly validate the message format, creating a security gap that malicious actors can exploit.<\/p>\n

Specifically, the issue involves how ATS handles malformed chunked message bodies. Based on findings from related GitHub<\/a> issues, ATS improperly accepts and forwards requests containing invalid formatting elements, such as carriage returns within chunk-ext whitespace, where only spaces and tabs should be permitted.<\/p>\n

Apache Traffic Server Vulnerability<\/strong><\/h2>\n

Additionally, ATS accepts bare Line Feed (LF) characters as line endings within chunked message bodies instead of requiring the standard Carriage Return + Line Feed (CRLF) sequence.<\/p>\n

For example, when a specially crafted HTTP request using the Transfer-Encoding: chunked header with intentionally malformed chunk formatting is sent to an ATS server, the server processes it in a way that differs from how backend servers might interpret the same request.\u00a0<\/p>\n

This inconsistency creates the opportunity for request smuggling.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

The above-simplified example demonstrates how an improper line ending (bare LF represented as n) in a chunked message might be accepted by ATS and forwarded to backend servers without proper normalization.<\/p>\n

The summary of the vulnerability is given below:<\/p>\n

\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
\n
Affected Products<\/td>\n		Apache Traffic Server (ATS) versions 9.2.0 to 9.2.9 and 10.0.0 to 10.0.4<\/td>\n<\/tr>\n
\n
Impact<\/td>\n		Cache poisoning, Bypassing security controls, and Session hijacking<\/td>\n<\/tr>\n
\n
Exploit Prerequisites<\/td>\n		A specially crafted HTTP request using chunked transfer encoding<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n6.5 (Medium)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Security Implications<\/strong><\/h2>\n

This request smuggling vulnerability poses several serious risks:<\/p>\n