Possible denial of service vulnerability with Content-length header in Traefik
Description
Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Traefik versions before 2.11.2 and 3.0.0-rc5 are vulnerable to denial of service via a GET request with a Content-Length header causing indefinite hang.
Traefik, an HTTP reverse proxy and load balancer, has a vulnerability where sending a GET request with a Content-Length header causes an indefinite hang when using default configuration. This occurs because the default value for the readTimeout option is zero, meaning no timeout is set, so Traefik waits indefinitely for a request body that never arrives [1].
An unauthenticated attacker can exploit this by sending a crafted GET request to any Traefik endpoint, causing the connection to hang. No special privileges or network position are required beyond the ability to send HTTP requests to the target [1].
The impact is a denial of service (DoS), as each such request consumes a connection that remains open indefinitely, potentially exhausting server resources and preventing legitimate requests from being processed [1].
The vulnerability is fixed in Traefik versions 2.11.2 and 3.0.0-rc5, where the default readTimeout has been changed to 60 seconds [1][4]. For users unable to upgrade, setting the readTimeout option in the entry point configuration can mitigate the issue [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefik/v3Go | >= 3.0.0-beta3, < 3.0.0-rc5 | 3.0.0-rc5 |
github.com/traefik/traefik/v2Go | < 2.11.2 | 2.11.2 |
github.com/traefik/traefikGo | < 2.11.2 | 2.11.2 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/traefikpkg:apk/chainguard/traefik-fipspkg:apk/wolfi/traefikpkg:golang/github.com/traefik/traefikpkg:golang/github.com/traefik/traefik/v2pkg:golang/github.com/traefik/traefik/v3pkg:rpm/opensuse/traefik2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed
< 2.11.2-r0+ 7 more
- (no CPE)range: < 2.11.2-r0
- (no CPE)range: < 2.11.2-r0
- (no CPE)range: < 2.11.2-r0
- (no CPE)range: < 2.11.2
- (no CPE)range: < 2.11.2
- (no CPE)range: >= 3.0.0-beta3, < 3.0.0-rc5
- (no CPE)range: < 2.11.5-1.1
- (no CPE)range: < 2.11.2-1.1
Patches
1240b83b77351Set default ReadTimeout value to 60s
5 files changed · +6 −9
docs/content/migration/v2.md+1 −4 modified@@ -623,7 +623,7 @@ To configure responding timeouts ### EntryPoint.Transport.RespondingTimeouts.ReadTimeout -Starting with `v2.11.2` the entryPoints `readTimeout` option default value changed to 5 seconds. +Starting with `v2.11.2` the entryPoints [`readTimeout`](../routing/entrypoints.md#respondingtimeouts) option default value changed to 60 seconds. For HTTP, this option defines the maximum duration for reading the entire request, including the body. For TCP, this option defines the maximum duration for the first bytes to be read on the connection. @@ -632,9 +632,6 @@ The default value was previously set to zero, which means no timeout. This change has been done to avoid Traefik instances with the default configuration to be hanging forever while waiting for bytes to be read on the connection. -We suggest to adapt this value accordingly to your situation, as the new default value is purposely narrowed, -it can make the connection be closed too early. - Increasing the `readTimeout` value could be the solution notably if you are dealing with the following errors: - TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
docs/content/reference/static-configuration/cli-ref.md+1 −1 modified@@ -187,7 +187,7 @@ Duration to keep accepting requests before Traefik initiates the graceful shutdo IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```) `--entrypoints.<name>.transport.respondingtimeouts.readtimeout`: -ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```5```) +ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```60```) `--entrypoints.<name>.transport.respondingtimeouts.writetimeout`: WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
docs/content/reference/static-configuration/env-ref.md+1 −1 modified@@ -187,7 +187,7 @@ Duration to keep accepting requests before Traefik initiates the graceful shutdo IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```) `TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT`: -ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```5```) +ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```60```) `TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_WRITETIMEOUT`: WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
docs/content/routing/entrypoints.md+2 −2 modified@@ -402,14 +402,14 @@ Setting them has no effect for UDP entryPoints. ??? info "`transport.respondingTimeouts.readTimeout`" - _Optional, Default=5s_ + _Optional, Default=60s_ `readTimeout` is the maximum duration for reading the entire request, including the body. If zero, no timeout exists. Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits). If no units are provided, the value is parsed assuming seconds. - For requests with large payloads, this timeout value might be increased. + We strongly suggest to adapt this value accordingly to the your needs. ```yaml tab="File (YAML)" ## Static configuration
pkg/config/static/static_config.go+1 −1 modified@@ -51,7 +51,7 @@ const ( DefaultIdleTimeout = 180 * time.Second // DefaultReadTimeout defines the default maximum duration for reading the entire request, including the body. - DefaultReadTimeout = 5 * time.Second + DefaultReadTimeout = 60 * time.Second // DefaultAcmeCAServer is the default ACME API endpoint. DefaultAcmeCAServer = "https://acme-v02.api.letsencrypt.org/directory"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4vwx-54mw-vqfwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28869ghsaADVISORY
- doc.traefik.io/traefik/routing/entrypoints/ghsax_refsource_MISCWEB
- github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v2.11.2ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.0.0-rc5ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.