CVE-2026-22045
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | to 2.11.35 (exc) |
| traefik | traefik | to 3.6.7 (exc) |
| traefik | traefik | 2.11.35 |
| traefik | traefik | 3.6.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Traefik affects the ACME TLS-ALPN fast path used for automatic TLS certificate generation. When the ACME TLS challenge is enabled, unauthenticated clients can open many connections, send a minimal ClientHello message advertising the 'acme-tls/1' protocol, and then stop responding. Because the server does not set timeouts or close these connections properly during the TLS handshake, each stalled handshake consumes server resources like goroutines and file descriptors indefinitely. This leads to resource exhaustion and denial of service on the affected entrypoint. [2]
How can this vulnerability impact me? :
The vulnerability can lead to a denial of service (DoS) on the Traefik entrypoint where the ACME TLS-ALPN challenge is enabled. A malicious client can exhaust server resources by opening many connections and stalling the TLS handshake, causing the server to run out of goroutines and file descriptors. This results in the affected entrypoint becoming unresponsive, potentially disrupting services relying on Traefik for reverse proxy and load balancing. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for an unusually high number of open connections or goroutines tied to the ACME TLS-ALPN challenge on Traefik entrypoints where the ACME TLS-ALPN challenge is enabled. Specifically, look for many connections that send a minimal ClientHello with the "acme-tls/1" protocol and then stop responding, causing resource exhaustion. Commands to detect this might include using netstat or ss to check for many open connections to the Traefik entrypoint ports, and using system tools to monitor file descriptor usage and goroutine counts in the Traefik process. For example, on Linux, you could use: `ss -tnp | grep traefik` to list TCP connections related to Traefik, and `lsof -p <traefik_pid>` to check open file descriptors. Additionally, monitoring Traefik logs for repeated ACME TLS-ALPN handshake attempts or timeouts could help detect exploitation attempts. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Traefik to version 2.11.35 or 3.6.7 or later, as these versions include the fix that adds timeouts to the ACME TLS-ALPN challenge handshake and properly closes connections to prevent resource exhaustion. After upgrading, consult the migration guide to enable the new opt-in behavior related to the fix. If upgrading immediately is not possible, consider disabling the ACME TLS-ALPN challenge on entrypoints or limiting the number of concurrent connections to reduce the risk of denial of service. Monitoring and applying rate limiting on incoming connections that use the ACME TLS-ALPN protocol can also help mitigate exploitation attempts. [1, 2, 3]