CVE-2025-65114

CVE-2025-65114: Apache Traffic Server: Malformed chunked message body allows request smuggling

Vendor Apache Software Foundation

Product Apache Traffic Server

Weakness CWE-444

Published April 2, 2026

Last update April 2, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

Key dates

Disclosure timeline

April 2, 2026 CVE published

April 2, 2026 Record updated

Identifiers

CVE CVE-2025-65114

CWE CWE-444

Affected versions

Vendor Apache Software Foundation

Product Apache Traffic Server

Affected ≥ 9.0.0 and ≤ 9.2.12

Vendor Apache Software Foundation

Product Apache Traffic Server

Affected ≥ 10.0.0 and ≤ 10.1.1