Skip to main content

CVE-2025-31698: CWE-284 Improper Access Control in Apache Software Foundation Apache Traffic Server

High
VulnerabilityCVE-2025-31698cvecve-2025-31698cwe-284
Published: Thu Jun 19 2025 (06/19/2025, 10:07:46 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Traffic Server

Description

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.  This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

AI-Powered Analysis

AILast updated: 06/19/2025, 10:31:54 UTC

Technical Analysis

CVE-2025-31698 is a vulnerability classified under CWE-284 (Improper Access Control) affecting the Apache Traffic Server, an open-source caching proxy server widely used for improving web performance and scalability. The issue arises from the way access control lists (ACLs) are configured in the ip_allow.config or remap.config files when Apache Traffic Server is set up to accept the PROXY protocol. The PROXY protocol is used to safely transport connection information such as the original client IP address through proxies or load balancers. However, in affected versions (9.0.0 through 9.2.10 and 10.0.0 through 10.0.6), the ACLs do not correctly apply to the IP addresses provided by the PROXY protocol, meaning that the server may incorrectly trust or reject connections based on the wrong IP address. This misconfiguration can allow unauthorized users to bypass intended access restrictions, potentially gaining access to restricted resources or services. The vulnerability is resolved by introducing a new setting, proxy.config.acl.subjects, which allows administrators to specify which IP addresses should be used for ACL decisions when the PROXY protocol is enabled. Users are advised to upgrade to Apache Traffic Server versions 9.2.11 or 10.0.6 or later, where this issue is fixed. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of network services relying on Apache Traffic Server, especially those using the PROXY protocol to handle client IP forwarding behind load balancers or proxies. Unauthorized access could lead to exposure of sensitive internal resources, unauthorized data retrieval, or manipulation of traffic routing. This could affect sectors such as finance, telecommunications, government, and large enterprises that deploy Apache Traffic Server for web acceleration and caching. The improper access control could also facilitate lateral movement within networks if attackers exploit the trust relationships established by the ACLs. While availability impact is less direct, unauthorized access could be leveraged to disrupt services or facilitate further attacks. Given the widespread use of Apache Traffic Server in content delivery and caching infrastructures, the scope of affected systems is considerable, particularly in environments where the PROXY protocol is enabled and ACLs are used to restrict access.

Mitigation Recommendations

Beyond upgrading to Apache Traffic Server versions 9.2.11 or 10.0.6 or later, organizations should: 1) Audit current ACL configurations in ip_allow.config and remap.config to ensure they correctly reflect intended access policies, especially in environments using the PROXY protocol. 2) Explicitly configure the proxy.config.acl.subjects setting to define which IP addresses are considered for ACL decisions, avoiding reliance on default or ambiguous settings. 3) Implement network segmentation and additional layers of access control to reduce reliance on ACLs alone for security. 4) Monitor logs for unusual access patterns or unexpected IP addresses that may indicate attempts to exploit this vulnerability. 5) Conduct penetration testing focusing on ACL bypass scenarios in proxy-enabled environments. 6) Review and update incident response plans to include scenarios involving ACL bypass and unauthorized access through proxy protocols. These steps will help ensure that even if the vulnerability is present, the risk of exploitation is minimized.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
apache
Date Reserved
2025-03-31T23:45:24.580Z
Cvss Version
null
State
PUBLISHED

Threat ID: 6853e39333c7acc046092090

Added to database: 6/19/2025, 10:16:51 AM

Last enriched: 6/19/2025, 10:31:54 AM

Last updated: 8/4/2025, 5:30:31 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats