CVE-2024-39321

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3

Description The issue allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. This occurs because HTTP/3 servers process early data requests before the handshake is completed and the client's IP address is validated. Attackers can obtain a session ticket from the HTTP/3 server, then prepare a UDP datagram containing a QUIC initial packet with a TLS ClientHello and the session ticket, a QUIC 0-RTT packet with early data encrypted with the pre-shared key from the session ticket, and an HTTP/3 request. This prepared UDP datagram can be sent to the server with an arbitrarily spoofed source IP address, allowing the attacker to bypass IP allow-lists.

Recommendations To resolve the issue, update to Traefik version 2.11.6, 3.0.4, or 3.1.0-rc3, as these versions contain a patch for the vulnerability. For versions prior to 2.11.6, consider responding with HTTP status code 425 Too Early when 0-RTT early data requests match ipAllowList.sourceRange middleware. Alternatively, delay processing of 0-RTT early data requests until the handshake is completed and the client's IP address is validated when 0-RTT early data requests match ipAllowList.sourceRange middleware.