CVE-2024-35161 Overview
CVE-2024-35161 is an HTTP request smuggling vulnerability in Apache Traffic Server (ATS). The proxy forwards malformed HTTP chunked trailer sections to origin servers without proper validation. Attackers can exploit this behavior to smuggle requests through the proxy and reach back-end servers. If origin servers are also vulnerable to interpretation differences, the flaw can enable cache poisoning attacks.
The vulnerability affects Apache Traffic Server versions 8.0.0 through 8.1.10 and 9.0.0 through 9.2.4. The flaw is tracked under [CWE-444] Inconsistent Interpretation of HTTP Requests. The Apache Software Foundation released fixed versions 8.1.11 and 9.2.5 to address the issue.
Critical Impact
Remote attackers can smuggle HTTP requests through Apache Traffic Server to origin servers, potentially enabling cache poisoning and bypassing security controls without authentication.
Affected Products
- Apache Traffic Server 8.0.0 through 8.1.10
- Apache Traffic Server 9.0.0 through 9.2.4
- Linux distributions packaging vulnerable ATS versions (including Debian LTS)
Discovery Timeline
- 2024-07-26 - CVE-2024-35161 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-35161
Vulnerability Analysis
Apache Traffic Server acts as a forward and reverse HTTP proxy. The proxy processes HTTP/1.1 messages that use chunked transfer encoding. Chunked encoding allows a trailer section after the final zero-length chunk to carry additional headers.
ATS does not validate the chunked trailer section before forwarding it to the origin server. When the trailer is malformed, the proxy passes the raw bytes downstream. The origin server then parses those bytes according to its own HTTP implementation. This parser disagreement creates the conditions for HTTP request smuggling, classified as [CWE-444].
An attacker who controls the trailer bytes can desynchronize the proxy and the origin. Subsequent requests on the same connection may be reinterpreted, allowing the attacker to prepend hidden requests onto victim traffic.
Root Cause
The root cause is missing input validation on the HTTP chunked trailer section in the request forwarding path. ATS treats the trailer as opaque pass-through data rather than parsing and sanitizing it. Origin servers that interpret the same bytes differently from the proxy produce the request smuggling primitive.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request containing chunked transfer encoding and a malformed trailer section to a server fronted by Apache Traffic Server. The proxy forwards the malformed trailer to the origin. Where the origin interprets the trailer as a new request boundary or additional headers, the attacker achieves request smuggling. Cache poisoning becomes possible when the smuggled response is served to other clients from the shared cache.
No public proof-of-concept exploit is listed in the enriched data, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2024-35161
Indicators of Compromise
- Inbound HTTP requests containing Transfer-Encoding: chunked with malformed or unexpected trailer headers after the terminating 0\r\n chunk.
- Origin server logs showing unexpected or duplicated request boundaries from the ATS upstream IP.
- Cache entries returning content that does not match the requested resource path or Host header.
- Repeated requests to the same URL producing inconsistent responses across clients sharing the ATS cache.
Detection Strategies
- Inspect HTTP traffic for chunked trailers that include hop-by-hop headers such as Transfer-Encoding, Content-Length, or Host.
- Correlate proxy access logs with origin access logs to identify requests that diverge in boundary, method, or path.
- Alert on Apache Traffic Server process versions reported as 8.0.0 through 8.1.10 or 9.0.0 through 9.2.4 in the inventory.
- Monitor cache hit ratios and response variance for anomalies indicative of cache poisoning.
Monitoring Recommendations
- Enable verbose ATS transaction logging and ship logs to a centralized analytics platform for HTTP smuggling pattern matching.
- Deploy a web application firewall rule set covering [CWE-444] request smuggling signatures in front of ATS.
- Track changes to cached objects and emit alerts when a high-traffic URL changes content unexpectedly.
How to Mitigate CVE-2024-35161
Immediate Actions Required
- Upgrade Apache Traffic Server to version 8.1.11 or 9.2.5, which contain the fix for CVE-2024-35161.
- Inventory all ATS deployments using traffic_server -V and prioritize internet-facing nodes for patching.
- Apply the Debian LTS update referenced in the Debian LTS Announcement on affected Debian systems.
- Review origin server access logs for evidence of smuggled requests preceding the patch deployment.
Patch Information
The Apache Software Foundation released fixed versions 8.1.11 and 9.2.5. Patch details and the upstream advisory are available in the Apache Mailing List Thread. Debian users should consult the Debian LTS Announcement for distribution-specific package versions.
Workarounds
- Set the configuration option proxy.config.http.drop_chunked_trailers to drop trailer sections before forwarding to origins.
- Place a hardened reverse proxy or WAF in front of ATS to strip or reject chunked trailer sections in client requests.
- Disable HTTP/1.1 keep-alive on the origin connection where feasible to limit smuggling impact across requests.
# Configuration example: drop chunked trailers in records.config
CONFIG proxy.config.http.drop_chunked_trailers INT 1
# Verify ATS version after upgrade
traffic_server -V
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
