Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25949 is a high-severity denial of service (DoS) vulnerability in Traefik versions up to 3.6.7 related to how Traefik handles STARTTLS requests for the PostgreSQL protocol.'}, {'type': 'paragraph', 'content': "An unauthenticated attacker can exploit this by sending the 8-byte PostgreSQL SSLRequest (STARTTLS) prelude to Traefik and then stalling the connection. This bypasses Traefik's read timeout mechanism, causing the connection to remain open indefinitely."}, {'type': 'paragraph', 'content': 'This happens because Traefik clears connection deadlines during the STARTTLS negotiation phase, which disables the read timeout and causes the server to wait indefinitely for further client communication.'}, {'type': 'paragraph', 'content': 'As a result, each stalled connection consumes resources such as goroutines and file descriptors, which can be exhausted at scale, leading to denial of service.'}] [3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service by exhausting system resources on the Traefik server.

• An attacker can open many stalled connections that remain open indefinitely.
• Each stalled connection consumes a goroutine and a file descriptor.
• At scale, this resource exhaustion can cause Traefik to hit process limits and become unavailable.
• The vulnerability affects any internet-exposed TCP entrypoint using protocol detection with readTimeout enabled, even if no PostgreSQL or TCP routers are configured.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for open connections that send the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stall, causing connections to remain open indefinitely. A proof of concept involves opening multiple TCP connections sending the Postgres SSLRequest and observing if these connections do not close after the configured readTimeout period.

One practical approach is to check the number of open file descriptors or TCP connections to the Traefik server, especially those stuck in a half-open state after sending the Postgres SSLRequest bytes.

While specific commands are not provided in the resources, typical commands to detect such behavior could include:

• Using netstat or ss to list TCP connections and identify those in unusual states or with long durations: e.g., `netstat -anp | grep <traefik_port>` or `ss -tanp | grep <traefik_port>`.
• Using lsof to count open file descriptors for the Traefik process: e.g., `lsof -p <traefik_pid> | wc -l`.
• Monitoring goroutine counts or resource usage of the Traefik process to detect resource exhaustion.

A Python script demonstrating the vulnerability was used in the advisory to open many connections sending the Postgres SSLRequest and measure file descriptor counts before and after sleeping beyond the readTimeout, confirming the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Traefik to version 3.6.8 or later, where this vulnerability has been fixed.

The fix involves improved handling of connection deadlines during the STARTTLS negotiation phase, preventing connections from remaining open indefinitely.

Until the upgrade can be performed, consider limiting exposure of Traefik TCP entrypoints to untrusted networks or applying network-level protections such as firewall rules to restrict access.

Useful 0 Not Useful 0