CVE-2025-58136
Published: 02 April 2026
Summary
CVE-2025-58136 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Apache Traffic Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely remediation of the POST request handling flaw through vendor patches to versions 10.1.2 or 9.2.13.
Mitigates the vulnerability by enforcing secure configuration settings, such as disabling request buffering via proxy.config.http.request_buffer_enabled=0 as the vendor workaround.
Provides protection against the unauthenticated remote DoS attack causing application crashes by limiting effects of resource exhaustion from malformed POST requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Apache Traffic Server causes application crash/infinite loop resulting in DoS; directly matches Exploit Public-Facing Application and Application or System Exploitation for endpoint DoS.
NVD Description
A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the…
more
issue. A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0).
Deeper analysisAI
CVE-2025-58136 is a vulnerability in Apache Traffic Server stemming from a bug in POST request handling that causes a crash under certain conditions. It affects versions 10.0.0 through 10.1.1 and 9.0.0 through 9.2.12.
An unauthenticated remote attacker with network access can exploit this issue with low complexity and no user interaction required, resulting in a denial-of-service condition via application crash. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), with the impact limited to high availability disruption and associated with CWE-670 (Always-Infinite Loop).
The Apache advisory, detailed in the mailing list announcement at https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q, recommends upgrading to fixed versions 10.1.2 or 9.2.13. A workaround for unpatched versions is to set proxy.config.http.request_buffer_enabled to 0, which is the default value.
Details
- CWE(s)