Apache Traffic Server EBV Vulnerability (9.0.0-9.2.8 & 10.0.0-10.0.3)
CVE-2024-56202 Published on March 6, 2025
Apache Traffic Server: Expect header field can unreasonably retain resource
Expected Behavior Violation vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.
Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.
Vulnerability Analysis
CVE-2024-56202 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Expected Behavior Violation
A feature, API, or function does not perform according to its specification.
Products Associated with CVE-2024-56202
Want to know whenever a new CVE is published for Apache Traffic Server? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Traffic Server:- Version 9.0.0, <= 9.2.8 is affected.
- Version 10.0.0, <= 10.0.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.