NIXPKGS-2026-0254

GitHub issue published on 15 Feb 2026

Permalink CVE-2026-25949

updated 6 days, 12 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 week, 2 days ago
@LeSuisse removed package traefik-certs-dumper 6 days, 14 hours ago
@LeSuisse accepted 6 days, 14 hours ago
@LeSuisse published on GitHub 6 days, 12 hours ago

Traefik: TCP readTimeout bypass via STARTTLS on Postgres

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.

Affected products

traefik

==< 3.6.8

Matching in nixpkgs

pkgs.traefik

Modern reverse proxy

nixos-unstable 3.6.7
- nixpkgs-unstable 3.6.7
- nixos-unstable-small 3.6.7
nixos-25.11 3.6.1
- nixos-25.11-small 3.6.1
- nixpkgs-25.11-darwin 3.6.1

Package maintainers

@djds djds <git@djds.dev>
@vdemeester Vincent Demeester <vincent@sbr.pm>

Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w
Upstream patch: https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0254

Affected products

Matching in nixpkgs

pkgs.traefik

Package maintainers