CVE-2024-45410 — Insufficient Verification of Data Authenticity in Traefik
Severity
7.5HIGHNVD
CNA9.8GHSA9.8OSV9.8
EPSS
13.9%
top 5.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 19
Latest updateMar 10
Description
Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom header…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages5 packages
🔴Vulnerability Details
6OSV▶
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) in github.com/traefik/traefik↗2026-03-10
GHSA▶
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)↗2026-03-04
OSV▶
HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik↗2024-09-26
📋Vendor Advisories
1Red Hat
▶