CVE-2025-66491

MEDIUM

Traefik <3.6.2 - Man-in-the-Middle

Title source: llm

Description

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

References (3)

[Patch, Vendor Advisory] https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj

[Patch] https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4

View Patch ZIP pw:eip

[Release Notes] https://github.com/traefik/traefik/releases/tag/v3.6.3

Scores

CVSS v3 5.9

EPSS 0.0001

EPSS Percentile 1.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (2)

traefik/traefik 3.5.0 - 3.6.3

traefik/traefik 3.5.0 - 3.6.3Go

Published Dec 09, 2025

Tracked Since Feb 18, 2026