Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-29777

created 1 month, 1 week ago

Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can bypass listener hostname constraints and redirect traffic for victim hostnames to attacker-controlled backends. This vulnerability is fixed in 3.6.10.

References

https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v3.6.10 x_refsource_MISC

Affected products

traefik

==< 3.6.10

Matching in nixpkgs

pkgs.traefik

Modern reverse proxy

nixos-unstable 3.6.10
- nixpkgs-unstable 3.6.10
- nixos-unstable-small 3.6.10
nixos-25.11 3.6.8
- nixos-25.11-small 3.6.8
- nixpkgs-25.11-darwin 3.6.8

pkgs.traefik-certs-dumper

dump ACME data from traefik to certificates

nixos-unstable 2.11.0
- nixpkgs-unstable 2.11.0
- nixos-unstable-small 2.11.0
nixos-25.11 2.10.0
- nixos-25.11-small 2.10.0
- nixpkgs-25.11-darwin 2.10.0

Package maintainers

@djds djds <git@djds.dev>
@vdemeester Vincent Demeester <vincent@sbr.pm>
@NickCao Nick Cao <nickcao@nichi.co>