Imperva’s Offensive Security Team discovered CVE-2025-49763, a high-severity vulnerability (CVSS v3.1 estimated score: 7.5) in Apache Traffic Server’s ESI plugin that enables unauthenticated attackers to exhaust memory and potentially crash proxy nodes. Given ATS’s role in global content delivery[1], even a single node failure can black-hole thousands of sessions. Organizations should urgently upgrade to version 9.2.11 or 10.0.6 and enforce the new inclusion-depth safeguard.

Why reverse‑proxy servers matter
Every web request you make today almost certainly travels through one or more reverse‑proxy caches before it reaches the origin application. These proxies:

• Off‑load origin servers by caching hot objects
• Collapse duplicate requests during traffic spikes
• Terminate TLS and enforce security controls
• And sit “at the edge”, close to end‑users, to shave hundreds of milliseconds off page‑load time.
  Because they concentrate so much traffic, a single reverse‑proxy node going offline can black‑hole thousands of concurrent sessions; at scale, an outage ripples outward like a dropped stone in water, slowing CDNs, SaaS platforms, media portals and on‑line banks alike. Denial‑of‑service (DoS) conditions on these boxes are therefore high‑impact events, not a mere nuisance.
  ...
  CVE-2025-49763 is a newly disclosed flaw in Apache Traffic Server’s Edge-Side Includes plugin that allows an unauthenticated attacker to embed or request endlessly nested <esi:include> tags, forcing the proxy to consume all available memory until it is out-of-memory-killed and service is lost.

This vulnerability can be exploited via two different ways:

A threat actor could exploit an Edge Side Include injection and recursively inject the same page over and over again.

exploitation via esi injection

A threat actor could also host a malicious server next to a target, behind a vulnerable traffic server proxy and take down the proxy by triggering the ESI request avalanche. (see Fig 2).

exploitation via malicious error

This results in a full denial of service on edge proxy nodes, triggered remotely without requiring authentication.

ShadyShader: Crashing Apple M-Series Devices with a Single Click

Learn about a RCE vulnerability, discovered by the Imperva Red Team, identified as CVE-2023-22524, in Atlassian Companion for macOS.

On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution.

While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.