CVE-2025-66491
📋 TL;DR
Traefik versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to 'on' (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This affects anyone using Traefik as a reverse proxy with the affected annotation configured.
💻 Affected Systems
- Traefik
📦 What is this software?
Traefik by Traefik
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept and manipulate all HTTPS traffic between Traefik and backend services, potentially stealing sensitive data, injecting malicious content, or redirecting traffic to malicious servers.
Likely Case
Man-in-the-middle attackers can eavesdrop on HTTPS traffic between Traefik and backends, potentially capturing authentication tokens, session cookies, or other sensitive data.
If Mitigated
With proper network segmentation and internal certificate authorities, risk is reduced but still present if external attackers gain internal network access.
🎯 Exploit Status
Exploitation requires network access to intercept traffic between Traefik and backend services. The vulnerability itself is simple to exploit once an attacker has the required network position.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.3
Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj
Restart Required: Yes
Instructions:
1. Update Traefik to version 3.6.3 or later. 2. Restart Traefik pods/containers. 3. Verify the annotation behavior is now correct.
🔧 Temporary Workarounds
Remove or invert annotation
allRemove the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation entirely or set it to 'off' (which will actually enable verification due to the bug).
kubectl annotate ingress <ingress-name> nginx.ingress.kubernetes.io/proxy-ssl-verify=off --overwrite
kubectl annotate ingress <ingress-name> nginx.ingress.kubernetes.io/proxy-ssl-verify-
🧯 If You Can't Patch
- Use mutual TLS (mTLS) between Traefik and backends with certificate pinning or custom certificate authorities.
- Implement network-level protections like VLAN segmentation or firewall rules to prevent man-in-the-middle attacks between Traefik and backends.
🔍 How to Verify
Check if Vulnerable:
Check if Traefik version is between 3.5.0 and 3.6.2 inclusive AND the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation is set to 'on' on any ingress resources.Check Version:
traefik versionVerify Fix Applied:
After updating to 3.6.3+, verify that setting nginx.ingress.kubernetes.io/proxy-ssl-verify='on' properly enables TLS verification (connections should fail with invalid certificates).📡 Detection & Monitoring
Log Indicators:
- Traefik logs showing successful connections to backends with invalid or self-signed certificates when proxy-ssl-verify is set to 'on'
- Unexpected certificate validation errors when proxy-ssl-verify is set to 'off'
Network Indicators:
- Unencrypted traffic between Traefik and backends that should be HTTPS
- Traffic to unexpected IP addresses from Traefik to backends
SIEM Query:
source="traefik" AND ("certificate" OR "TLS" OR "SSL") AND ("verify" OR "validation")