CVE-2025-66491

Name of the Vulnerable Software and Affected Versions Traefik versions 3.5.0 through 3.6.2

Description Traefik is an HTTP reverse proxy and load balancer. A flaw exists in the TLS verification logic within the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. When this annotation is set to "on" with the intention of enabling backend TLS certificate verification, it inadvertently disables verification. This creates a potential for man-in-the-middle attacks against HTTPS backends, particularly when operators assume their connections are secured.

Recommendations Upgrade to Traefik version 3.6.3 or later.