Moderate severityNVD Advisory· Published Dec 9, 2025· Updated Dec 9, 2025
Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider
CVE-2025-66491
Description
Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefik/v3Go | >= 3.5.0, < 3.6.3 | 3.6.3 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/traefik-3.5pkg:apk/wolfi/traefik-3.5pkg:golang/github.com/traefik/traefik/v3pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed
< 3.5.6-r6+ 4 more
- (no CPE)range: < 3.5.6-r6
- (no CPE)range: < 3.5.6-r6
- (no CPE)range: >= 3.5.0, < 3.6.3
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
- (no CPE)range: < 3.6.6-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7vww-mvcr-x6vjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66491ghsaADVISORY
- github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.6.3ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vjghsax_refsource_CONFIRMWEB
News mentions
1- Risky Business #819 -- Venezuela (credibly?!) blames USA for wiper attackRisky Business · Dec 17, 2025