CVE-2025-66491
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-09

Assigner: GitHub, Inc.

Description
Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66491
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
traefik traefik 3.5.0
traefik traefik 3.6.3
traefik traefik 3.6.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Traefik versions 3.5.0 through 3.6.2 involves inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. When this annotation is set to "on" to enable backend TLS certificate verification, it actually disables the verification. This means that operators who believe their backend HTTPS connections are secure are actually vulnerable to man-in-the-middle attacks.

Impact Analysis

The vulnerability can allow an attacker to perform man-in-the-middle attacks against HTTPS backends, potentially intercepting or manipulating sensitive data transmitted between Traefik and backend services. This undermines the security of encrypted connections and can lead to data exposure or compromise.

Mitigation Strategies

Upgrade Traefik to version 3.6.3 or later, where the TLS verification logic issue is fixed. Avoid relying on the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation set to "on" in versions 3.5.0 through 3.6.2, as it disables backend TLS verification and allows man-in-the-middle attacks.

Compliance Impact

This vulnerability undermines TLS certificate verification, allowing man-in-the-middle attacks against HTTPS backends. Such a security flaw can lead to unauthorized interception of sensitive data, which may result in non-compliance with data protection standards and regulations like GDPR and HIPAA that require secure transmission and protection of personal and health information. Therefore, organizations using affected versions of Traefik could face compliance risks due to potential data breaches caused by this vulnerability. [1]

Detection Guidance

To detect this vulnerability, you should check if your Traefik installation is a version between 3.5.0 and 3.6.2 and if the Kubernetes ingress annotations include `nginx.ingress.kubernetes.io/proxy-ssl-verify` set to "on". This setting incorrectly disables backend TLS verification, exposing you to MITM attacks. You can verify the Traefik version by running `traefik version` on your system. To inspect the ingress annotations, use the command `kubectl get ingress -o jsonpath='{range .items[*]}{.metadata.name}{": "}{.metadata.annotations.nginx\.ingress\.kubernetes\.io/proxy-ssl-verify}{"\n"}{end}'`. If you find any ingress with this annotation set to "on" on a vulnerable Traefik version, your system is affected. Additionally, monitoring network traffic for unexpected TLS certificate validation failures or MITM indicators may help detect exploitation attempts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66491. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart