Denial of service whith ACME HTTPChallenge in Traefik

Vulnerability

Overview Traefik, an open‑source HTTP reverse proxy and load balancer, configures Let's Encrypt TLS certificates using either HTTPChallenge, TLSChallenge, or DNSChallenge. CVE‑2023‑47124 arises specifically when HTTPChallenge is used. The challenge process imposes a 50‑second delay for solving the token, and this window can be abused by an attacker to perform a slowloris‑style denial‑of‑service attack. By slowly sending partial HTTP requests, the attacker keeps connections open and exhausts server resources, preventing legitimate traffic from being served [1].

Attack

Vector Exploitation requires no authentication and uses standard HTTP semantics; the attacker simply sends incomplete request headers at a low rate within the 50‑second challenge timeout. No special network position is needed beyond the ability to reach the Traefik instance, making this attack surface broad for any public‑facing Traefik deployment using HTTPChallenge for ACME certificate management [1][2].

Impact

A successful slowloris attack tied to this vulnerability can lead to prolonged denial of service, rendering Traefik unable to respond to legitimate requests. Since TLS certificate renewal typically runs periodically, the attack can be repeated or timed to degrade availability without requiring any privilege escalation or code execution [1][3].

Mitigation

The vulnerability is fixed in Traefik versions 2.10.6 and 3.0.0‑beta5. Users on older versions should upgrade to these releases. For those unable to upgrade immediately, the recommended workaround is to replace the HTTPChallenge with either the TLSChallenge or the DNSChallenge, as these methods do not impose the same exploitable delay window [1][4].