Traefik vulnerable to bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes
Description
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Traefik before 2.11.6, 3.0.4, and 3.1.0-rc3 allows IP allow-list bypass via spoofed IPs in QUIC 0-RTT HTTP/3 early data.
Vulnerability
CVE-2024-39321 affects Traefik, an HTTP reverse proxy and load balancer. The vulnerability lies in how Traefik handles HTTP/3 early data requests sent during QUIC 0-RTT handshakes. Because the initial QUIC handshake and early data are transmitted in a single UDP datagram, the source IP address can be spoofed. The server processes the request before the handshake completes and before the client's IP address is validated, allowing an attacker to bypass IP-based allow-lists [1][2].
Exploitation
To exploit this, an attacker first establishes an HTTP/3 connection to the target Traefik instance using their real IP address and obtains a session ticket (no actual HTTP request is needed). The attacker then closes that connection and crafts a single UDP datagram containing a QUIC initial packet with the session ticket and a TLS ClientHello, a QUIC 0-RTT packet carrying early data encrypted with the pre-shared key, and an HTTP/3 request. This datagram is then sent with an arbitrarily spoofed source IP address. Because the request is processed before the handshake completes, Traefik sees the spoofed IP and may grant access to resources that should be restricted by its IP allow-list [1].
Impact
An attacker who can obtain a session ticket can effectively bypass IP allow-lists, potentially gaining unauthorized access to protected services. This could lead to exposure of internal applications, data exfiltration, or further lateral movement within the network, depending on what the allow-lists protect.
Mitigation
The vulnerability is fixed in Traefik versions 2.11.6, 3.0.4, and 3.1.0-rc3 [1][2]. No workarounds are available. Users running earlier versions should upgrade immediately. The issue is not known to be in CISA's Known Exploited Vulnerabilities catalog as of publication.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefik/v2Go | < 2.11.6 | 2.11.6 |
github.com/traefik/traefik/v3Go | >= 3.0.0-beta3, < 3.0.4 | 3.0.4 |
github.com/traefik/traefik/v3Go | >= 3.1.0-rc1, < 3.1.0-rc3 | 3.1.0-rc3 |
Affected products
5- ghsa-coords4 versionspkg:golang/github.com/traefik/traefik/v2pkg:golang/github.com/traefik/traefik/v3pkg:rpm/opensuse/traefik2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed
< 2.11.6+ 3 more
- (no CPE)range: < 2.11.6
- (no CPE)range: >= 3.0.0-beta3, < 3.0.4
- (no CPE)range: < 2.11.6-2.1
- (no CPE)range: < 3.0.4-2.1
Patches
3d42e75bb2eab876899be4bb3927f0bc01a78Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gxrv-wf35-62w9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39321ghsaADVISORY
- github.com/traefik/traefik/releases/tag/v2.11.6ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.0.4ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.1.0-rc3ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.