Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0254

NIXPKGS-2026-0254
published on
Permalink CVE-2026-25949
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse ignored package traefik-certs-dumper 2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Traefik: TCP readTimeout bypass via STARTTLS on Postgres

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.

Affected products

traefik
  • ==< 3.6.8

Matching in nixpkgs

Ignored packages (1)

Package maintainers

Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w
Upstream patch: https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678