CVE-2026-25949

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 3.6.8

Description Traefik, an HTTP reverse proxy and load balancer, contains a flaw in how it manages STARTTLS requests. An unauthenticated client can bypass the respondingTimeouts.readTimeout setting by sending an 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling the connection. This causes connections to remain open indefinitely, leading to a denial of service. The issue occurs during protocol detection before routing, and is reachable on an entrypoint even without any Postgres/TCP routers configured. An attacker can send the Postgres SSLRequest, receive a response from Traefik, and then stop sending further bytes, keeping the connection open past the configured read timeout. This consumes file descriptors and goroutines, potentially exhausting system resources and causing the proxy to become unavailable.

Recommendations Upgrade to Traefik version 3.6.8 or later to resolve this issue.