Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66491

CVE-2025-66491: Traefik Information Disclosure Flaw

CVE-2025-66491 is an information disclosure vulnerability in Traefik caused by inverted TLS verification logic. This flaw enables man-in-the-middle attacks against HTTPS backends. Learn about affected versions and fixes.

Published:

CVE-2025-66491 Overview

CVE-2025-66491 affects Traefik, an HTTP reverse proxy and load balancer widely deployed in Kubernetes environments. Versions 3.5.0 through 3.6.2 contain inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to on — intended to enable backend TLS certificate verification — instead disables verification. Operators who believe they have hardened backend communication actually expose HTTPS traffic to man-in-the-middle (MITM) attacks. The flaw is classified under [CWE-295] Improper Certificate Validation. Version 3.6.3 resolves the issue.

Critical Impact

Operators enabling proxy-ssl-verify: "on" receive the opposite behavior, silently disabling TLS backend verification and enabling MITM interception of HTTPS traffic.

Affected Products

  • Traefik 3.5.0 through 3.6.2
  • Traefik deployments using the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation
  • Kubernetes ingress-nginx-compatible configurations proxied through Traefik

Discovery Timeline

  • 2025-12-09 - CVE-2025-66491 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66491

Vulnerability Analysis

The vulnerability resides in Traefik's ingress-nginx provider, specifically in the translation of the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation into the internal ServersTransport configuration. The code inverted the comparison between the annotation value and the InsecureSkipVerify flag. When operators set the annotation to on, Traefik set InsecureSkipVerify: true, bypassing certificate validation entirely.

This is a silent failure. No warning is emitted, and the ingress controller reports as configured. Attackers positioned between Traefik and backend services can present arbitrary certificates without triggering verification errors. Credentials, session tokens, and application data traversing the proxied HTTPS channel become interceptable.

Root Cause

The defect is a single inverted string comparison in pkg/provider/kubernetes/ingress-nginx/kubernetes.go. The condition evaluated whether the annotation equaled on and assigned that result to InsecureSkipVerify, meaning enabling verification actually skipped it. The corrected logic compares against off so that InsecureSkipVerify is only true when verification is explicitly disabled.

Attack Vector

Exploitation requires an attacker capable of intercepting network traffic between Traefik and backend services. This is plausible in shared Kubernetes clusters, misconfigured network policies, compromised sidecars, or hostile transit networks. The attacker presents a forged certificate for the backend service. Because verification is silently disabled, Traefik accepts the connection and proxies plaintext-decrypted traffic to the adversary. The attacker can observe and modify requests and responses at will.

go
 		Name: provider.Normalize(namespace + "-" + name),
 		ServersTransport: &dynamic.ServersTransport{
 			ServerName:         ptr.Deref(cfg.ProxySSLName, ptr.Deref(cfg.ProxySSLServerName, "")),
-			InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, "off")) == "on",
+			InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, "off")) == "off",
 		},
 	}

Source: Traefik patch commit 14a1aedf. The patch reverses the comparison so InsecureSkipVerify is only enabled when the annotation is off.

Detection Methods for CVE-2025-66491

Indicators of Compromise

  • Backend TLS handshakes succeeding against certificates not issued by the expected internal certificate authority.
  • Ingress resources annotated with nginx.ingress.kubernetes.io/proxy-ssl-verify: "on" running on Traefik 3.5.0 through 3.6.2.
  • Unexpected certificate chains observed in packet captures between Traefik pods and upstream services.

Detection Strategies

  • Inventory all Traefik deployments and identify versions between 3.5.0 and 3.6.2 using kubectl get pods -o jsonpath or Helm release queries.
  • Enumerate ingress objects across namespaces that carry the proxy-ssl-verify annotation and correlate with vulnerable Traefik versions.
  • Perform active TLS validation tests by presenting a self-signed certificate to backend endpoints and verifying that Traefik rejects the connection after patching.

Monitoring Recommendations

  • Log and alert on TLS certificate fingerprint changes for backend services proxied by Traefik.
  • Monitor Traefik access logs for backend response anomalies indicating traffic interception or tampering.
  • Track Kubernetes admission events that create or modify ingress annotations relating to TLS behavior.

How to Mitigate CVE-2025-66491

Immediate Actions Required

  • Upgrade Traefik to version 3.6.3 or later across all clusters running affected versions.
  • Audit every ingress resource using nginx.ingress.kubernetes.io/proxy-ssl-verify and confirm expected verification behavior after upgrade.
  • Rotate credentials and session tokens that traversed backend HTTPS connections while the vulnerable configuration was active.

Patch Information

Traefik maintainers released the fix in Traefik v3.6.3. The corrective commit is tracked in the GitHub Security Advisory GHSA-7vww-mvcr-x6vj and applied in commit 14a1aedf.

Workarounds

  • If immediate upgrade is not possible, remove the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation and configure backend TLS verification through a Traefik ServersTransport resource with insecureSkipVerify: false explicitly set.
  • Enforce mutual TLS (mTLS) between Traefik and backend services using a service mesh so that certificate validation is handled outside the vulnerable annotation path.
  • Restrict pod-to-pod network paths with Kubernetes NetworkPolicies to reduce the attack surface for MITM positioning until patching completes.
bash
# Upgrade Traefik via Helm to the fixed release
helm repo update
helm upgrade traefik traefik/traefik \
  --namespace traefik \
  --version 3.6.3

# Verify running version
kubectl -n traefik exec deploy/traefik -- traefik version

# Audit ingress objects using the vulnerable annotation
kubectl get ingress -A -o json | \
  jq '.items[] | select(.metadata.annotations."nginx.ingress.kubernetes.io/proxy-ssl-verify") | {ns:.metadata.namespace, name:.metadata.name}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.