Bug 2373846 (CVE-2025-31698)

Summary: CVE-2025-31698 trafficserver: Apache Traffic Server PROXY Protocol ACL Bypass
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in trafficserver. Access control lists (ACLs) configured within `ip_allow.config` or `remap.config` incorrectly utilize IP addresses, failing to account for those provided by the PROXY protocol. This can allow an attacker to bypass intended access restrictions by manipulating the source IP address presented via the PROXY protocol. This misconfiguration allows for unintended access based on a non-validated IP address.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2373877, 2373878, 2373879, 2373880    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-19 11:01:15 UTC 
ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.

Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. 
This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.