Login Sign Up

CVE-2023-29013

7.5 HIGH
Denial of Service

📋 TL;DR

A memory allocation vulnerability in Go's HTTP header parsing affects Traefik reverse proxy. Attackers can send specially crafted HTTP headers to cause excessive memory consumption, leading to denial of service. This impacts all Traefik deployments using vulnerable versions.

💻 Affected Systems

Products:
  • Traefik
Versions: All versions before 2.9.10 and 2.10.0-rc2
Operating Systems: All platforms running Traefik
Default Config Vulnerable: ⚠️ Yes
Notes: All Traefik deployments using vulnerable Go versions are affected regardless of configuration.

📦 What is this software?

Traefik by Traefik

View all CVEs affecting Traefik →

Traefik by Traefik

View all CVEs affecting Traefik →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion, potentially affecting all services behind the Traefik proxy.

🟠

Likely Case

Degraded performance or intermittent service disruptions as memory resources are consumed.

🟢

If Mitigated

Minimal impact with proper resource limits and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP access to the Traefik instance with no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.10 or 2.10.0-rc2

Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92

Restart Required: Yes

Instructions:

1. Stop Traefik service. 2. Update to version 2.9.10 or 2.10.0-rc2. 3. Restart Traefik service.

🔧 Temporary Workarounds

Rate Limiting

all

Implement HTTP request rate limiting to reduce impact of attack attempts

traefik --entrypoints.web.http.middlewares.ratelimit.ratelimit.rate=100

Memory Limits

linux

Configure container or system memory limits to prevent complete exhaustion

docker run --memory=512m traefik

🧯 If You Can't Patch

  • Implement network-level filtering to block suspicious HTTP headers
  • Deploy additional monitoring for memory consumption spikes

🔍 How to Verify

Check if Vulnerable:

Check Traefik version with: traefik version

Check Version:

traefik version

Verify Fix Applied:

Confirm version is 2.9.10 or higher: traefik version | grep -E 'v2\.(9\.(1[0-9]|[2-9][0-9])|1[0-9]\.[0-9]+)'

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory usage patterns
  • Multiple requests with large headers
  • Out of memory errors

Network Indicators:

  • HTTP requests with abnormally large headers
  • Sudden increase in request volume

SIEM Query:

source="traefik" AND ("out of memory" OR "memory allocation" OR "panic")

📊 Metadata

CVE ID: CVE-2023-29013
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: April 14, 2023
Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29013, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)