CVE-2024-28869
HIGHTraefik < 2.11.2 and 3.0.0-beta3-3.0.0-rc5 - Denial of Service via Content-Length Header
Title source: llmDescription
Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
References (5)
Core 5
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw
Patch x_refsource_misc
https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6
Product x_refsource_misc
https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts
Release Notes x_refsource_misc
https://github.com/traefik/traefik/releases/tag/v2.11.2
Release Notes x_refsource_misc
https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
Scores
CVSS v3
7.5
EPSS
0.0105
EPSS Percentile
59.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-755
Status
published
Products (4)
traefik/traefik
3.0.0 (10 CPE variants)
traefik/traefik
< 2.11.2
traefik/traefik
0 - 2.11.2 (2 CPE variants)Go
traefik/traefik
3.0.0-beta3 - 3.0.0-rc5Go
Published
Apr 12, 2024
Tracked Since
Feb 18, 2026