GHSA-7vww-mvcr-x6vj

Опубликовано: 08 дек. 2025

Источник: github

Github: Прошло ревью

CVSS3: 5.9

Описание

Traefik Inverted TLS Verification Logic in ingress-nginx Provider

Impact

There is a potential vulnerability in Traefik NGINX provider managing the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation.

The provider inverts the semantics of the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.

Patches

https://github.com/traefik/traefik/releases/tag/v3.6.3

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

A logic error in Traefik's experimental ingress-nginx provider inverts the semantics of the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.

Details

In pkg/provider/kubernetes/ingress-nginx/kubernetes.go at line 512, the InsecureSkipVerify field is set using inverted logic:

nst := &namedServersTransport{ Name: provider.Normalize(namespace + "-" + name), ServersTransport: &dynamic.ServersTransport{ ServerName: ptr.Deref(cfg.ProxySSLName, ptr.Deref(cfg.ProxySSLServerName, "")), InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, "off")) == "on", }, }

The expression == "on" evaluates to true when the annotation is "on", setting InsecureSkipVerify: true. In Go's crypto/tls, InsecureSkipVerify: true means "do not verify the server's certificate" — the opposite of what proxy-ssl-verify: "on" should do according to NGINX semantics.

Current behavior:

Annotation Value	InsecureSkipVerify	Actual Result
`"on"`	`true`	Verification disabled ❌
`"off"` (default)	`false`	Verification enabled

Expected behavior (per NGINX semantics):

Annotation Value	InsecureSkipVerify	Expected Result
`"on"`	`false`	Verification enabled
`"off"` (default)	`true`	Verification disabled

The test in pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go lines 397-403 confirms this inverted behavior is codified as "expected":

ServersTransports: map[string]*dynamic.ServersTransport{ "default-ingress-with-proxy-ssl": { ServerName: "whoami.localhost", InsecureSkipVerify: true, // Wrong: should be false when annotation is "on" RootCAs: []types.FileOrContent{"-----BEGIN CERTIFICATE-----"}, }, },

Affected versions: v3.5.0 through current master (introduced in commit 9bd5c617820f2a8d23b50b68d114bb7bc464eccd)

Pavel Kohout Aisle Research

Ссылки

Пакеты

Наименование

github.com/traefik/traefik/v3

Затронутые версииВерсия исправления

>= 3.5.0, <= 3.6.2

3.6.3

EPSS

Процентиль: 1%

0.00009

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2025-66491

Дефекты

CWE-295

Связанные уязвимости

CVE-2025-66491

CVSS3: 5.9

nvd

2 месяца назад

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

CVE-2025-66491

CVSS3: 5.9

debian

2 месяца назад

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 thr ...

EPSS

Процентиль: 1%

0.00009

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2025-66491

Дефекты

CWE-295