Description: ATS is vulnerable to HTTP requests with body. CVE: CVE-2025-58136 - A simple legitimate POST request causes a crash CVE-2025-65114 - Malformed chunked message body allows request smuggling
Reported By: Masakazu Kitajo (CVE-2025-58136) Katsutoshi Ikenoya (CVE-2025-65114) Vendor: The Apache Software Foundation Version Affected: ATS 9.0.0 to 9.2.12 ATS 10.0.0 to 10.1.1 Mitigation: 9.x users should upgrade to 9.1.13 or later versions 10.x users should upgrade to 10.1.2 or later versions For CVE-2025-58136, old version users can set proxy.config.http.request_buffer_enabled to 0 (the default value is 0) to prevent the crash. There is no workaround for CVE-2025-65114. CVE: https://www.cve.org/CVERecord?id=CVE-2025-58136 https://www.cve.org/CVERecord?id=CVE-2025-65114
