CVE-2026-25949 — Uncontrolled Resource Consumption in Traefik

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 95.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Traefik Github.com Traefik Traefik V3

Timeline

PublishedFeb 12

Latest updateFeb 17

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5traefik/traefik< 3.6.8

▶NVDtraefik/traefik< 3.6.8

▶Gogithub.com/traefik_traefik_v3< 3.6.8

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Traefik: TCP readTimeout bypass via STARTTLS on Postgres in github.com/traefik/traefik↗2026-02-17

▶

CVEList

Traefik: TCP readTimeout bypass via STARTTLS on Postgres↗2026-02-12

▶

GHSA

Traefik: TCP readTimeout bypass via STARTTLS on Postgres↗2026-02-12

▶

OSV

Traefik: TCP readTimeout bypass via STARTTLS on Postgres↗2026-02-12

▶

📋Vendor Advisories

Red Hat

github.com/traefik/traefik: Traefik: Denial of Service via stalled STARTTLS requests↗2026-02-12

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25949 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶