CVE-2025-31698 is a vulnerability classified under CWE-284 (Improper Access Control) affecting the Apache Traffic Server, an open-source caching proxy server widely used for improving web performance and scalability. The issue arises from the way access control lists (ACLs) are configured in the ip_allow.config or remap.config files when Apache Traffic Server is set up to accept the PROXY protocol. The PROXY protocol is used to safely transport connection information such as the original client IP address through proxies or load balancers. However, in affected versions (9.0.0 through 9.2.10 and 10.0.0 through 10.0.6), the ACLs do not correctly apply to the IP addresses provided by the PROXY protocol, meaning that the server may incorrectly trust or reject connections based on the wrong IP address. This misconfiguration can allow unauthorized users to bypass intended access restrictions, potentially gaining access to restricted resources or services. The vulnerability is resolved by introducing a new setting, proxy.config.acl.subjects, which allows administrators to specify which IP addresses should be used for ACL decisions when the PROXY protocol is enabled. Users are advised to upgrade to Apache Traffic Server versions 9.2.11 or 10.0.6 or later, where this issue is fixed. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of network services relying on Apache Traffic Server, especially those using the PROXY protocol to handle client IP forwarding behind load balancers or proxies. Unauthorized access could lead to exposure of sensitive internal resources, unauthorized data retrieval, or manipulation of traffic routing. This could affect sectors such as finance, telecommunications, government, and large enterprises that deploy Apache Traffic Server for web acceleration and caching. The improper access control could also facilitate lateral movement within networks if attackers exploit the trust relationships established by the ACLs. While availability impact is less direct, unauthorized access could be leveraged to disrupt services or facilitate further attacks. Given the widespread use of Apache Traffic Server in content delivery and caching infrastructures, the scope of affected systems is considerable, particularly in environments where the PROXY protocol is enabled and ACLs are used to restrict access.

Beyond upgrading to Apache Traffic Server versions 9.2.11 or 10.0.6 or later, organizations should: 1) Audit current ACL configurations in ip_allow.config and remap.config to ensure they correctly reflect intended access policies, especially in environments using the PROXY protocol. 2) Explicitly configure the proxy.config.acl.subjects setting to define which IP addresses are considered for ACL decisions, avoiding reliance on default or ambiguous settings. 3) Implement network segmentation and additional layers of access control to reduce reliance on ACLs alone for security. 4) Monitor logs for unusual access patterns or unexpected IP addresses that may indicate attempts to exploit this vulnerability. 5) Conduct penetration testing focusing on ACL bypass scenarios in proxy-enabled environments. 6) Review and update incident response plans to include scenarios involving ACL bypass and unauthorized access through proxy protocols. These steps will help ensure that even if the vulnerability is present, the risk of exploitation is minimized.