CVE-2026-25949
HIGH
GHSA-89p3-4642-cr2w
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.
Analysis
Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Traefik instances in production and document current versions. Within 7 days: Apply vendor patch 3.6.8 or later to all affected Traefik deployments, beginning with non-critical environments. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today