Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-22045
5.9 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): HIGH
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
References
-
https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq x_refsource_CONFIRM
-
https://github.com/traefik/traefik/releases/tag/v2.11.35 x_refsource_MISC
-
https://github.com/traefik/traefik/releases/tag/v3.6.7 x_refsource_MISC
Affected products
traefik
- ==>=3.0.0-beta1, < 3.6.7
- ==< 2.11.35
Matching in nixpkgs
pkgs.traefik
Modern reverse proxy
Package maintainers
-
@vdemeester Vincent Demeester <vincent@sbr.pm>
-
@djds djds <git@djds.dev>
-
@NickCao Nick Cao <nickcao@nichi.co>