CVE-2025-49763: 
Apache Traffic Server vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-49763) was discovered in Apache Traffic Server's Edge Side Includes (ESI) plugin. The vulnerability affects Apache Traffic Server versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5, where the ESI plugin lacks a maximum inclusion depth limit, enabling excessive memory consumption through malicious instructions (NVD, Imperva Blog).

The vulnerability (CWE-400: Uncontrolled Resource Consumption) exists in the ESI plugin's inclusion processing mechanism, where the absence of depth controls allows attackers to craft malicious requests that can recursively process ESI includes until server memory is depleted. The vulnerability has received a CVSS v3.1 score of 7.5 (HIGH), indicating its significant severity. The exploitation requires the ESI plugin to be enabled and network access to the vulnerable server (Wiz Report, Imperva Blog).

When successfully exploited, the vulnerability can cause Apache Traffic Server to become unresponsive or crash entirely, effectively denying service to legitimate users. Given ATS's role in global content delivery, even a single node failure can affect thousands of sessions, potentially disrupting CDNs, SaaS platforms, media portals, and online banking services (Imperva Blog).

The Apache Software Foundation has released patched versions 9.2.11 and 10.0.6 to address this vulnerability. Organizations should upgrade to these versions without delay and implement the new --max-inclusion-depth parameter, which has a default value of 3, to prevent infinite inclusion scenarios. Systems protected by Imperva proxy are automatically safeguarded against Edge-Side Include injection attempts (Imperva Blog, NVD).