Suggestions search

All statuses

Filter by:

With package: traefik

Found 2 matching suggestions

Published

(browse all)

Permalink CVE-2026-25949

updated 6 days, 11 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 week, 1 day ago
@LeSuisse removed package traefik-certs-dumper 6 days, 13 hours ago
@LeSuisse accepted 6 days, 13 hours ago
@LeSuisse published on GitHub 6 days, 11 hours ago

Traefik: TCP readTimeout bypass via STARTTLS on Postgres

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.

Affected products

traefik

==< 3.6.8

Matching in nixpkgs

pkgs.traefik

Modern reverse proxy

nixos-unstable 3.6.7
- nixpkgs-unstable 3.6.7
- nixos-unstable-small 3.6.7
nixos-25.11 3.6.1
- nixos-25.11-small 3.6.1
- nixpkgs-25.11-darwin 3.6.1

Package maintainers

@djds djds <git@djds.dev>
@vdemeester Vincent Demeester <vincent@sbr.pm>

Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w
Upstream patch: https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678

Published

(browse all)

Permalink CVE-2026-22045

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed package traefik-certs-dumper 1 month ago
@LeSuisse removed maintainer @NickCao 1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.

Affected products

traefik

==< 2.11.35
==>=3.0.0-beta1, < 3.6.7

Matching in nixpkgs

pkgs.traefik

Modern reverse proxy

nixos-unstable 3.6.1
- nixpkgs-unstable 3.6.1
- nixos-unstable-small 3.6.2

Package maintainers

@djds djds <git@djds.dev>
@vdemeester Vincent Demeester <vincent@sbr.pm>

Upstream advisory: https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq
Upstream fix: https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d