Traefik vulnerabilities
47 known vulnerabilities affecting traefik/traefik.
Total CVEs
47
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL9HIGH23MEDIUM13LOW2
Vulnerabilities
Page 2 of 3
CVE-2023-39325P3HIGHCVSS 7.5fixed in 2.10.5≥ 3.0.0-beta1, < 3.0.0-beta42023-10-11
CVE-2023-39325 [HIGH] CWE-770 CVE-2023-39325: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause exces
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. Wit
nvd
CVE-2024-45410P3HIGHCVSS 7.5fixed in 2.11.9≥ 3.0.0, < 3.1.3+1 more2024-09-19
CVE-2024-45410 [HIGH] CWE-345 CVE-2024-45410: Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, ce
Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value
nvd
CVE-2022-23632P3HIGHCVSS 7.5fixed in 2.6.12022-02-17
CVE-2022-23632 [HIGH] CWE-295 CVE-2022-23632: Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router
Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sen
nvd
CVE-2024-39321P3HIGHCVSS 7.5fixed in 2.11.6≥ 3.0.0, < 3.0.4+3 more2024-07-05
CVE-2024-39321 [HIGH] CWE-639 CVE-2024-39321: Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 h
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.
nvd
CVE-2024-28869P3HIGHCVSS 7.5fixed in 2.11.2v3.0.0+1 more2024-04-12
CVE-2024-28869 [HIGH] CWE-755 CVE-2024-28869: Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to an
Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.
nvd
CVE-2026-22045P3HIGHCVSS 7.5fixed in 2.11.35≥ 3.0.0, < 3.6.7+1 more2026-01-15
CVE-2026-22045 [HIGH] CWE-770 CVE-2026-22045: Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can o
nvd
CVE-2021-32813P3HIGHCVSS 8.1fixed in 2.4.13≤ 1.7.302021-08-03
CVE-2021-32813 [HIGH] CWE-913 CVE-2021-32813: Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potentia
Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to preven
nvd
CVE-2026-54761P3HIGHCVSS 7.1fixed in 3.6.21≥ 3.7.0, < 3.7.5+1 more2026-06-23
CVE-2026-54761 [HIGH] CWE-284 CVE-2026-54761: Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high sever
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of t
nvd
CVE-2025-66490P3MEDIUMCVSS 6.5fixed in 2.11.32≥ 3.0.0, < 3.6.3+3 more2025-12-09
CVE-2025-66490 [MEDIUM] CWE-436 CVE-2025-66490: Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 throug
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \, Null, ;, ?, #) can bypass the middleware chain and reach u
nvd
CVE-2023-47633P3HIGHCVSS 7.5≤ 2.10.5v3.0.0+2 more2023-12-04
CVE-2023-47633 [HIGH] CWE-400 CVE-2023-47633: Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 10
Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There
nvd
CVE-2026-29777P3MEDIUMCVSS 6.5fixed in 3.6.102026-03-11
CVE-2026-29777 [MEDIUM] CWE-74 CVE-2026-29777: Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to a
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic
nvd
CVE-2023-47106P3MEDIUMCVSS 6.5≤ 2.10.5v3.0.0+2 more2023-12-04
CVE-2023-47106 [MEDIUM] CWE-20 CVE-2023-47106: Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik wi
Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another fron
nvd
CVE-2019-20894P3HIGHCVSS 7.5≥ 2.0.0, < 2.0.12020-07-02
CVE-2019-20894 [HIGH] CWE-295 CVE-2019-20894: Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verifica
Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred.
nvd
CVE-2023-29013P3HIGHCVSS 7.5fixed in 2.9.10v2.10.0+1 more2023-04-14
CVE-2023-29013 [HIGH] CWE-400 CVE-2023-29013: Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microser
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of serv
nvd
CVE-2022-39271P3HIGHCVSS 7.5fixed in 2.8.8v2.9.0+2 more2022-10-11
CVE-2022-39271 [HIGH] CWE-400 CVE-2022-39271: Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploy
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. T
nvd
CVE-2022-23469P3MEDIUMCVSS 6.5fixed in 2.9.62022-12-08
CVE-2022-23469 [MEDIUM] CWE-200 CVE-2022-23469: Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have
nvd
CVE-2022-46153P3MEDIUMCVSS 6.5fixed in 2.9.62022-12-08
CVE-2022-46153 [MEDIUM] CWE-295 CVE-2022-46153: Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a pote
Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without ver
nvd
CVE-2026-41174P3MEDIUMCVSS 6.4fixed in 2.11.43≥ 3.0.0, < 3.6.14+2 more2026-04-30
CVE-2026-41174 [MEDIUM] CWE-653 CVE-2026-41174: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetesCRD.allowCrossNamespace=false, Traefik correctly rejects direct cross-namespace middleware references from Ingre
nvd
CVE-2026-32305P4MEDIUMCVSS 5.3fixed in 2.11.41≥ 3.0.0, ≤ 3.6.11+3 more2026-03-20
CVE-2026-32305 [MEDIUM] CWE-287 CVE-2026-32305: Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and retur
nvd
CVE-2020-9321P4HIGHCVSS 7.5≥ 2.0.0, ≤ 2.1.42020-03-16
CVE-2020-9321 [HIGH] CWE-295 CVE-2020-9321: configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of ce
configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.
nvd