Moderate severityNVD Advisory· Published Dec 9, 2025· Updated Dec 9, 2025
Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider
CVE-2025-66491
Description
Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefik/v3Go | >= 3.5.0, < 3.6.3 | 3.6.3 |
Affected products
1Patches
114a1aedf5704Fix nginx.ingress.kubernetes.io/proxy-ssl-verify annotation support
2 files changed · +2 −2
pkg/provider/kubernetes/ingress-nginx/kubernetes.go+1 −1 modified@@ -509,7 +509,7 @@ func (p *Provider) buildServersTransport(namespace, name string, cfg ingressConf Name: provider.Normalize(namespace + "-" + name), ServersTransport: &dynamic.ServersTransport{ ServerName: ptr.Deref(cfg.ProxySSLName, ptr.Deref(cfg.ProxySSLServerName, "")), - InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, "off")) == "on", + InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, "off")) == "off", }, }
pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go+1 −1 modified@@ -397,7 +397,7 @@ func TestLoadIngresses(t *testing.T) { ServersTransports: map[string]*dynamic.ServersTransport{ "default-ingress-with-proxy-ssl": { ServerName: "whoami.localhost", - InsecureSkipVerify: true, + InsecureSkipVerify: false, RootCAs: []types.FileOrContent{"-----BEGIN CERTIFICATE-----"}, }, },
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7vww-mvcr-x6vjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66491ghsaADVISORY
- github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.6.3ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.