Github.Com Traefik Traefik V2 vulnerabilities
47 known vulnerabilities affecting github.com/traefik_traefik_v2.
Total CVEs
47
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH20MEDIUM21LOW1
Vulnerabilities
Page 3 of 3
CVE-2023-47124P4MEDIUM≥ 0, < 2.10.62023-12-05
CVE-2023-47124 [MEDIUM] CWE-400 Traefik vulnerable to potential DDoS via ACME HTTPChallenge
Traefik vulnerable to potential DDoS via ACME HTTPChallenge
## Impact
There is a potential vulnerability in Traefik managing the ACME HTTP challenge.
When Traefik is configured to use the [HTTPChallenge](https://doc.traefik.io/traefik/https/acme/#httpchallenge) to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attacker
ghsaosv
CVE-2024-24788P4MEDIUMCVSS 5.9≥ 0, < 2.11.32024-05-23
CVE-2024-24788 [MEDIUM] CWE-1395 Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
### Impact
There is a vulnerability in [GO managing malformed DNS message](https://groups.google.com/g/golang-announce/c/wkkO4P9stm0), which impacts Traefik.
This vulnerability could be exploited to cause a denial of service.
### References
- [CVE-2024-24788](https://www.cve.org/CVERecord?id=
ghsaosv
CVE-2024-35255P4MEDIUMCVSS 5.5≥ 0, < 2.11.52024-06-20
CVE-2024-35255 [MEDIUM] CWE-362 ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
### Impact
There is a vulnerability in [Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2024-35255).
### References
- [CVE-2024-35255](https://nvd.nist.gov/vuln/detail/CVE-2024-35255)
### Patches
- https://github.com/traefik/trae
ghsaosv
CVE-2024-52003P4MEDIUM≥ 0, < 2.11.142024-12-02
CVE-2024-52003 [MEDIUM] CWE-601 Traefik's X-Forwarded-Prefix Header still allows for Open Redirect
Traefik's X-Forwarded-Prefix Header still allows for Open Redirect
### Impact
There is a vulnerability in Traefik that allows the client to provide the `X-Forwarded-Prefix` header from an untrusted source.
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.14
- https://github.com/traefik/traefik/releases/tag/v3.2.1
### Workarounds
No workaround.
### For more information
If
ghsaosv
CVE-2026-26998P4MEDIUM≥ 0, < 2.11.382026-03-04
CVE-2026-26998 [MEDIUM] CWE-770 Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS
## Impact
There is a potential vulnerability in Traefik managing the ForwardAuth middleware responses.
When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no `maxResponseBodySize`
ghsaosv
CVE-2026-41263P4MEDIUMCVSS 6.3≥ 0, < 2.11.432026-04-24
CVE-2026-41263 [MEDIUM] CWE-208 Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
## Summary
There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences.
The variable intended to hold a constant-time fallback secret always re
ghsa
CVE-2026-32595P4MEDIUM≥ 0, < 2.11.412026-03-20
CVE-2026-32595 [MEDIUM] CWE-208 Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration
Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration
## Summary
There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack.
When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediat
ghsaosv
← Previous3 / 3