CVE-2025-66491

Опубликовано: 09 дек. 2025

Источник: nvd

CVSS3: 5.9

EPSS Низкий

Описание

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

Ссылки

https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4
Patch
https://github.com/traefik/traefik/releases/tag/v3.6.3
Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*

Версия от 3.5.0 (включая) до 3.6.3 (исключая)

EPSS

Процентиль: 1%

0.00009

Низкий

5.9 Medium

CVSS3

Дефекты

CWE-295

Связанные уязвимости

CVE-2025-66491

CVSS3: 5.9

debian

2 месяца назад

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 thr ...

GHSA-7vww-mvcr-x6vj

CVSS3: 5.9

github

2 месяца назад

Traefik Inverted TLS Verification Logic in ingress-nginx Provider

EPSS

Процентиль: 1%

0.00009

Низкий

5.9 Medium

CVSS3

Дефекты

CWE-295