Remote attackers can trigger an avalanche of internal ESI requests, exhausting memory and causing denial-of-service in Apache Traffic Server.
Executive Summary
Imperva’s Offensive Security Team discovered CVE-2025-49763, a high-severity vulnerability (CVSS v3.1 estimated score: 7.5) in Apache Traffic Server’s ESI plugin that enables unauthenticated attackers to exhaust memory and potentially crash proxy nodes. Given ATS’s role in global content delivery[1], even a single node failure can black-hole thousands of sessions. Organizations should urgently upgrade to version 9.2.11 or 10.0.6 and enforce the new inclusion-depth safeguard.
Why reverse‑proxy servers matter
Every web request you make today almost certainly travels through one or more reverse‑proxy caches before it reaches the origin application. These proxies:
- Off‑load origin servers by caching hot objects
- Collapse duplicate requests during traffic spikes
- Terminate TLS and enforce security controls
- And sit “at the edge”, close to end‑users, to shave hundreds of milliseconds off page‑load time.
Because they concentrate so much traffic, a single reverse‑proxy node going offline can black‑hole thousands of concurrent sessions; at scale, an outage ripples outward like a dropped stone in water, slowing CDNs, SaaS platforms, media portals and on‑line banks alike. Denial‑of‑service (DoS) conditions on these boxes are therefore high‑impact events, not a mere nuisance.
Apache Traffic Server (ATS) — A heavy lifter
Apache Traffic Server is an open‑source, high‑performance HTTP/2 proxy originally built at Inktomi and Yahoo!. In production it has been benchmarked at 200,000+ requests per second and, at Yahoo!, was already serving 30 billion objects and 400 TB of data every day as far back as 2010.
Today the software underpins CDNs and large‑scale sites[2]. While deployments are numerically fewer than Nginx or Varnish, each ATS cluster typically fronts high traffic volumes, so vulnerabilities in its core plugins translate directly into real‑world risk for global content delivery.
Before diving into the details of this vulnerability, we would like to extend our thanks to the ATS Project Management Committee and especially Kit Chan who implemented the fix that now helps protect production systems worldwide.
Edge Side Includes
Edge Side Includes (ESI) is a simple markup language that enables dynamic assembly of web pages at the edge, typically within caching reverse proxies. It allows pages to include smaller, individually cacheable fragments—like headers, footers, or personalized content—reducing load on origin servers and improving performance.
To trigger ESI processing, responses must include a specific HTTP header (e.g., Surrogate-Control: content=”ESI/1.0″ or X-Esi: 1) that signals to the proxy that ESI tags in the content should be parsed and processed. This makes ESI especially useful for high-traffic sites and CDNs where efficiency and scalability are critical.
The Vulnerability
CVE-2025-49763 is a newly disclosed flaw in Apache Traffic Server’s Edge-Side Includes plugin that allows an unauthenticated attacker to embed or request endlessly nested <esi:include> tags, forcing the proxy to consume all available memory until it is out-of-memory-killed and service is lost.
This vulnerability can be exploited via two different ways:
A threat actor could exploit an Edge Side Include injection[3] and recursively inject the same page over and over again (see Fig 1).
Fig 1. Exploitation via ESI injection
A threat actor could also host a malicious server next to a target, behind a vulnerable traffic server proxy and take down the proxy by triggering the ESI request avalanche. (see Fig 2).
Fig 2. Exploitation via malicious server
This results in a full denial of service on edge proxy nodes, triggered remotely without requiring authentication.
Mitigation
The issue affects ATS versions 9.0.0–9.2.10 and 10.0.0–10.0.5. Operators should upgrade to 9.2.11 or 10.0.6 (or later) without delay and enable the new –max-inclusion-depth safeguard— to prevent outages if they need a recursion deeper than 3.
If your application already sits behind an Imperva proxy, it is automatically protected against Edge-Side Include injection attempts, which reduces substantially the attack surface.
Disclosure Timeline
- Reported: May 20 2025
- Patch Released: June 18 2025
- Public Advisory: June 18 2025
- CVE Published: June 19 2025
[1] https://news.apache.org/foundation/entry/the-apache-software-foundation-announces36
[2] https://trafficserver.apache.org/users.html
[3] https://www.tenable.com/plugins/was/114398
The post CVE-2025-49763 – Remote DoS via Memory Exhaustion in Apache Traffic Server via ESI Plugin appeared first on Blog.