Github.Com Traefik Traefik vulnerabilities

CVE-2026-32305 [HIGH] CWE-287 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config ## Summary There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extr

CVE-2026-32595 [MEDIUM] CWE-208 Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration ## Summary There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediat

CVE-2026-29777 [MEDIUM] CWE-74 Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values ## Summary There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection. A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query para

CVE-2025-68121 [CRITICAL] CWE-1395 Traefik affected by TLS ClientAuth Bypass on HTTP/3 Traefik affected by TLS ClientAuth Bypass on HTTP/3 ### Summary There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.37 - https://github.com/traefik/traefik/releases/tag/v3.6.8 ## Workarounds No workaround ## For more information

CVE-2025-66490 [MEDIUM] CWE-436 Path Normalization Bypass in Traefik Router + Middleware Rules Path Normalization Bypass in Traefik Router + Middleware Rules ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set **('/', '\', 'Null', ';', '

CVE-2025-47952 [HIGH] CWE-22 Traefik allows path traversal using url encoding Traefik allows path traversal using url encoding ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewa

CVE-2025-32431 [HIGH] CWE-22 Traefik has a possible vulnerability with its path matchers Traefik has a possible vulnerability with its path matchers ## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing th

CVE-2024-45410 [CRITICAL] CWE-345 HTTP client can manipulate custom HTTP headers that are added by Traefik HTTP client can manipulate custom HTTP headers that are added by Traefik ### Impact There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For). ### Patches - https://github.com/traefik/traefik/releases/tag/v2.11.9 - https://github.com/traefik/traefik/releases/tag/v3.1.3 ### Workarounds No workaround. ### For more i

CVE-2024-24790 [CRITICAL] CWE-180 Traefik has unexpected behavior with IPv4-mapped IPv6 addresses Traefik has unexpected behavior with IPv4-mapped IPv6 addresses ### Impact There is a vulnerability in [Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses](https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ). They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. ### Referen

CVE-2024-24788 [MEDIUM] CWE-1395 Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop ### Impact There is a vulnerability in [GO managing malformed DNS message](https://groups.google.com/g/golang-announce/c/wkkO4P9stm0), which impacts Traefik. This vulnerability could be exploited to cause a denial of service. ### References - [CVE-2024-24788](https://www.cve.org/CVERecord?id=

CVE-2024-28869 [HIGH] CWE-404 Traefik vulnerable to denial of service with Content-length header Traefik vulnerable to denial of service with Content-length header There is a potential vulnerability in Traefik managing requests with `Content-length` and no `body` . Sending a `GET` request to any Traefik endpoint with the `Content-length` request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.

CVE-2023-39325 [HIGH] CWE-400 Traefik vulnerable to HTTP/2 request causing denial of service Traefik vulnerable to HTTP/2 request causing denial of service ### Impact A vulnerability CVE-2023-39325 exists in [Go managing HTTP/2 requests](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ?pli=1), which impacts Traefik. This vulnerability could be exploited to cause a denial of service. ### References - [CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487) - [

CVE-2019-12452 [HIGH] CWE-522 Containous Traefik Exposes Password Hashes Containous Traefik Exposes Password Hashes types/types.go in Containous Traefik 1.7.x through 1.7.11, when the `--api` flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by readi

CVE-2018-15598 [HIGH] CWE-287 Traefik Missing Authentication Traefik Missing Authentication Containous Traefik 1.6.x before 1.6.6, when `--api` is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.

CVE-2020-15129 [MEDIUM] CWE-601 Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header ## Summary There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisonin

CVE-2020-9321 [MEDIUM] CWE-200 Traefik has an Improper Certificate Handling issue Traefik has an Improper Certificate Handling issue configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.

CVE-2021-32813 [MEDIUM] CWE-913 Header dropping in traefik Header dropping in traefik # Impact There exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. # Details If you have a chain of Traefik middlewares, and one of them sets a request header `Important