CVE-2024-45410

Name of the Vulnerable Software and Affected Versions: Traefik versions prior to 2.11.9 Traefik versions prior to 3.1.3

Description: The issue arises from the manipulation of custom HTTP headers added by Traefik, such as X-Forwarded-Host or X-Forwarded-Port, which can be removed or modified by an HTTP client due to the HTTP/1.1 behavior that allows headers to be defined as hop-by-hop via the HTTP Connection header. This can lead to security implications as the application trusts the value of these headers. The attack relies on this HTTP/1.1 behavior.

Recommendations: For Traefik versions prior to 2.11.9, upgrade to version 2.11.9 or later. For Traefik versions prior to 3.1.3, upgrade to version 3.1.3 or later. As a temporary workaround, consider restricting access to the vulnerable X-Forwarded-Host and X-Forwarded-Port headers until a patch is available. Avoid using the Connection header to define hop-by-hop headers in the affected API endpoints until the issue is resolved.