CVE-2025-66491
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | 3.5.0 |
| traefik | traefik | 3.6.3 |
| traefik | traefik | 3.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability undermines TLS certificate verification, allowing man-in-the-middle attacks against HTTPS backends. Such a security flaw can lead to unauthorized interception of sensitive data, which may result in non-compliance with data protection standards and regulations like GDPR and HIPAA that require secure transmission and protection of personal and health information. Therefore, organizations using affected versions of Traefik could face compliance risks due to potential data breaches caused by this vulnerability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you should check if your Traefik installation is a version between 3.5.0 and 3.6.2 and if the Kubernetes ingress annotations include `nginx.ingress.kubernetes.io/proxy-ssl-verify` set to "on". This setting incorrectly disables backend TLS verification, exposing you to MITM attacks. You can verify the Traefik version by running `traefik version` on your system. To inspect the ingress annotations, use the command `kubectl get ingress -o jsonpath='{range .items[*]}{.metadata.name}{": "}{.metadata.annotations.nginx\.ingress\.kubernetes\.io/proxy-ssl-verify}{"\n"}{end}'`. If you find any ingress with this annotation set to "on" on a vulnerable Traefik version, your system is affected. Additionally, monitoring network traffic for unexpected TLS certificate validation failures or MITM indicators may help detect exploitation attempts. [1]
Can you explain this vulnerability to me?
This vulnerability in Traefik versions 3.5.0 through 3.6.2 involves inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. When this annotation is set to "on" to enable backend TLS certificate verification, it actually disables the verification. This means that operators who believe their backend HTTPS connections are secure are actually vulnerable to man-in-the-middle attacks.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform man-in-the-middle attacks against HTTPS backends, potentially intercepting or manipulating sensitive data transmitted between Traefik and backend services. This undermines the security of encrypted connections and can lead to data exposure or compromise.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Traefik to version 3.6.3 or later, where the TLS verification logic issue is fixed. Avoid relying on the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation set to "on" in versions 3.5.0 through 3.6.2, as it disables backend TLS verification and allows man-in-the-middle attacks.