CVE-2022-39271
HIGHTraefik < 2.8.8 - Denial of Service via HTTP/2 Connection Handling
Title source: llmDescription
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.
References (3)
Core 3
Core References
Release Notes, Third Party Advisory
https://github.com/traefik/traefik/releases/tag/v2.8.8
Release Notes, Third Party Advisory
https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5
Patch, Third Party Advisory
https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr
Scores
CVSS v3
7.5
EPSS
0.0102
EPSS Percentile
58.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-755
CWE-400
Status
published
Products (3)
traefik/traefik
2.9.0 rc1 (4 CPE variants)
traefik/traefik
< 2.8.8
traefik/traefik
0 - 2.8.8Go
Published
Oct 11, 2022
Tracked Since
Feb 18, 2026