Uncontrolled Resource Consumption in Traefik
Description
Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A default Traefik Docker configuration creates an automatic self-referencing route that causes 100% CPU usage and unresponsiveness when the container's hostname is requested.
Vulnerability
Description CVE-2023-47633 affects Traefik, an open-source HTTP reverse proxy and load balancer. The root cause is an automatically generated route in the Docker provider integration that, by default, creates a backend pointing to the Traefik container itself [1][2]. This self-referencing route uses the container's hostname (e.g., traefik-service or the container name) [4].
Exploitation
Conditions An attacker who can reach the Traefik HTTP entrypoint on port 80 or 443 and knows the Docker container name or hostname can trigger the vulnerability. This can be as simple as a curl request with the --resolve flag to force the hostname resolution [4]. No authentication is required, and no complex setup is needed beyond the default Docker provider configuration [2].
Impact
When the self-referencing route is hit, it creates an endless loop of requests within the proxy, causing Traefik to consume 100% CPU and making the entire server unresponsive [4]. This results in a denial of service (DoS), rendering any services behind the reverse proxy unreachable until the container is manually restarted.
Mitigation
The vulnerability is fixed in Traefik versions 2.10.6 and 3.0.0-beta5 [1][3]. Users should upgrade to these patched versions. There are no known workarounds [1]. Upgrading directly addresses the automatic routing logic that created the self-loop.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefik/v2Go | < 2.10.6 | 2.10.6 |
github.com/traefik/traefik/v3Go | < 3.0.0-beta5 | 3.0.0-beta5 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/traefikpkg:apk/chainguard/traefik-fipspkg:apk/wolfi/traefikpkg:golang/github.com/traefik/traefik/v2pkg:golang/github.com/traefik/traefik/v3pkg:rpm/opensuse/traefik2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed
< 2.10.6-r0+ 6 more
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 0
- (no CPE)range: < 2.10.6-r0
- (no CPE)range: < 2.10.6
- (no CPE)range: < 3.0.0-beta5
- (no CPE)range: < 2.11.5-1.1
- (no CPE)range: < 2.10.7-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6fwg-jrfw-ff7pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-47633ghsaADVISORY
- github.com/traefik/traefik/releases/tag/v2.10.6ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.0.0-beta5ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-6fwg-jrfw-ff7pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.