NIXPKGS-2026-0648

GitHub issue published on

Permalink CVE-2026-29777

updated 1 month, 1 week ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 1 week ago
@LeSuisse ignored package traefik-certs-dumper 1 month, 1 week ago
@LeSuisse accepted 1 month, 1 week ago
@LeSuisse published on GitHub 1 month, 1 week ago

Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.

References

https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v3.6.10 x_refsource_MISC

Affected products

traefik

==< 3.6.10

Matching in nixpkgs

pkgs.traefik

Modern reverse proxy

nixos-unstable 3.6.10
- nixpkgs-unstable 3.6.10
- nixos-unstable-small 3.6.10
nixos-25.11 3.6.8
- nixos-25.11-small 3.6.8
- nixpkgs-25.11-darwin 3.6.8

Ignored packages (1)

pkgs.traefik-certs-dumper

dump ACME data from traefik to certificates

nixos-unstable 2.11.0
- nixpkgs-unstable 2.11.0
- nixos-unstable-small 2.11.0
nixos-25.11 2.10.0
- nixos-25.11-small 2.10.0
- nixpkgs-25.11-darwin 2.10.0

Package maintainers

@djds djds <git@djds.dev>
@vdemeester Vincent Demeester <vincent@sbr.pm>

Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj