CVE-2025-66491 | THREATINT

Description

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

PUBLISHED Reserved 2025-12-02 | Published 2025-12-09 | Updated 2025-12-09 | Assigner GitHub_M

MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-295: Improper Certificate Validation

Product status

>= 3.5.0, < 3.6.3

affected

References

github.com/...raefik/security/advisories/GHSA-7vww-mvcr-x6vj

github.com/...ommit/14a1aedf5704673d875d210d7bacf103a43c77e4

github.com/traefik/traefik/releases/tag/v3.6.3

cve.org (CVE-2025-66491)

nvd.nist.gov (CVE-2025-66491)

Download JSON