Login Sign Up

CVE-2026-25949

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated attackers to cause denial of service in Traefik reverse proxy by exploiting a STARTTLS timeout bypass. Attackers can send a specific 8-byte Postgres SSLRequest and then stall, keeping connections open indefinitely and exhausting resources. All Traefik deployments prior to version 3.6.8 are affected.

💻 Affected Systems

Products:
  • Traefik
Versions: All versions prior to 3.6.8
Operating Systems: All platforms running Traefik
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any Traefik deployment with entrypoints configured, particularly those handling Postgres or STARTTLS traffic

📦 What is this software?

Traefik by Traefik

View all CVEs affecting Traefik →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to connection pool exhaustion, affecting all traffic through the Traefik proxy

🟠

Likely Case

Degraded performance and intermittent service disruptions as connections accumulate

🟢

If Mitigated

Minimal impact with proper network segmentation and connection limits

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication
🏢 Internal Only: MEDIUM - Still exploitable internally but with more limited attack surface

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple network-level attack requiring minimal technical skill to execute

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.8

Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w

Restart Required: Yes

Instructions:

1. Download Traefik 3.6.8 from official releases. 2. Stop current Traefik service. 3. Replace binary with patched version. 4. Restart Traefik service. 5. Verify version with 'traefik version' command.

🔧 Temporary Workarounds

Connection timeout reduction

all

Reduce readTimeout values to limit connection duration

# In Traefik configuration, set lower readTimeout values
# Example: entryPoints.web.readTimeout = "30s"

Network filtering

linux

Block Postgres SSLRequest packets at network perimeter

# Example iptables rule to block suspicious packets
iptables -A INPUT -p tcp --dport [traefik-port] -m string --string "\x00\x00\x00\x08\x04\xd2\x16\x2f" --algo bm -j DROP

🧯 If You Can't Patch

  • Implement rate limiting and connection limits at network level
  • Deploy WAF or IPS with DoS protection capabilities

🔍 How to Verify

Check if Vulnerable:

Check Traefik version with 'traefik version' command and compare to 3.6.8

Check Version:

traefik version

Verify Fix Applied:

Confirm version is 3.6.8 or higher and test with simulated SSLRequest packets

📡 Detection & Monitoring

Log Indicators:

  • Unusually high number of long-lived connections
  • Connection timeouts exceeding configured limits
  • Multiple connections with minimal data transfer

Network Indicators:

  • Repeated 8-byte packets to Traefik ports followed by silence
  • Abnormal connection duration patterns

SIEM Query:

source="traefik" AND ("readTimeout" OR "connection" duration>300s)

📊 Metadata

CVE ID: CVE-2026-25949
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
EPSS Score: 0.02% exploit probability (3.3th percentile)
Published: February 12, 2026
Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25949, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)