Inefficient Regular Expression Complexity Vulnerability in Apache Traffic Control
CVE-2025-61581

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Traffic Control
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-61581?

A vulnerability has been identified in Apache Traffic Control that arises due to inefficient regular expression complexity. This issue allows users with access to the management interface of the Traffic Router component to specify malicious patterns. Such patterns can lead to system unavailability, rendering the service unstable. Since Apache Traffic Control is now a retired project, it is important for users to be aware that no further updates or patches will be made available to remediate this vulnerability. As a precaution, it is strongly advised to either restrict access to trusted users or seek alternative solutions.

Affected Version(s)

Apache Traffic Control 0

References

https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4p...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Sep 26, 2025

Credit

Chris Lemmons

JSON