CVE-2025-31698
Apache Traffic Server: Client IP address from PROXY protocol is not used for ACLACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
We have discovered 378 live websites that are affected by CVE-2025-31698.
Affected Software
| Product |  ATS |
| Category | Web Servers |
| Vulnerable Domains | 378 live websites (34% of ATS install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 10 versions ( 37% of all versions) |
Common Weakness Enumeration
CWE-284 Improper Access ControlDetails
- Published - Jun 19, 2025
- Updated - Jun 20, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-31698 United States | 49 websites |
 Germany | 126 websites |
 China | 125 websites |
 GB | 35 websites |
 Isle of Man | 8 websites |
 France | 7 websites |
 Italy | 7 websites |
 Finland | 5 websites |
 Canada | 4 websites |
 Russia | 4 websites |
Website Distribution by TLD
Number of websites using CVE-2025-31698| .com.cn | 88 websites |
| .com | 77 websites |
| .cn | 22 websites |
| .org | 20 websites |
| .de | 12 websites |
| .org.uk | 11 websites |
| .it | 11 websites |
| .net | 10 websites |
| .fi | 7 websites |
| .ru | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-31698
Top websites that are affected by CVE-2025-31698. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.************.net | United States | **,*** | |
| ****.******.jp |  Japan | **,*** | |
| ***.**********.de | Germany | **,*** | |
| *********.******.***.cn | China | **,*** | |
| ******.**********.de | Germany | ***,*** | |
| ******.***.cn | China | ***,*** | |
| *****.******.***.cn | China | ***,*** | |
| ***.***.**.uk | GB | ***,*** | |
| ****.******.***.cn | China | ***,*** | |
| *****.****.******.community | Germany | ***,*** |
FAQ
CVE-2025-31698 is Improper Access Control in ATS
A total of 378 websites have been identified as vulnerable to CVE-2025-31698, based on global website indexing conducted by WebTechSurvey.
The ATS is affected by the CVE-2025-31698 vulnerability.
ATS versions up to and including 10.0.6 are vulnerable to CVE-2025-31698.