📦 Traefik

A path traversal vulnerability in Traefik's WASM plugin installation mechanism allows attackers to overwrite arbitrary system files by uploading malicious ZIP archives containing directory traversal s...

This vulnerability in Traefik allows attackers to bypass router path matching rules by using URL-encoded strings in request paths. This could enable access to backend services that should be protected...

Traefik reverse proxy versions before 2.11.24, 3.3.6, and 3.4.0-rc2 contain a path traversal vulnerability in path-based routing matchers. Attackers can bypass middleware security controls and access ...

This vulnerability allows remote unauthenticated attackers to bypass Traefik's protection mechanisms and remove critical X-Forwarded headers that identify client information. Attackers can manipulate ...

This vulnerability allows remote unauthenticated attackers to cause denial of service in Traefik by exploiting a TLS handshake flaw. Attackers can send incomplete TLS records to stall connections inde...

This vulnerability allows unauthenticated attackers to cause denial of service in Traefik reverse proxy by exploiting a STARTTLS timeout bypass. Attackers can send a specific 8-byte Postgres SSLReques...

This vulnerability allows attackers to bypass IP allow-lists in Traefik reverse proxy by sending HTTP/3 early data requests with spoofed IP addresses during QUIC 0-RTT handshakes. This affects all Tra...

Traefik's Docker integration creates an automatic route where Traefik serves as its own backend, causing 100% CPU consumption in a denial-of-service condition. This affects all Traefik deployments usi...

CVE-2023-44487 is an HTTP/2 protocol vulnerability that allows attackers to cause denial of service by rapidly resetting streams, consuming server resources. This affects any system using HTTP/2, incl...

A memory allocation vulnerability in Go's HTTP header parsing affects Traefik reverse proxy. Attackers can send specially crafted HTTP headers to cause excessive memory consumption, leading to denial ...

Traefik versions before 2.6.1 incorrectly handle TLS configuration when requests use fully qualified domain names (FQDNs) in the Host header, potentially causing the wrong TLS certificate to be used. ...

Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 fail to properly purge certificate contents before logging, potentially exposing sensitive TLS certificate data in log files. This affects administrators u...

Traefik reverse proxy versions before 2.11.38 and 3.6.9 have a memory exhaustion vulnerability in the ForwardAuth middleware. When configured with ForwardAuth, Traefik reads authentication server resp...

This vulnerability allows unauthenticated attackers to cause denial of service in Traefik reverse proxy by exploiting the ACME TLS-ALPN challenge mechanism. Attackers can open numerous connections and...

Traefik reverse proxy versions prior to 2.11.32 and 3.6.3 have a path normalization bypass vulnerability. Attackers can use URL-encoded characters to bypass security middleware and access restricted b...

Traefik versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to 'on' (intending to enable backend TL...

This vulnerability in Traefik allows attackers to manipulate the X-Forwarded-Prefix header from untrusted sources, potentially enabling URL redirection attacks. All users running vulnerable versions o...