VYPR
Moderate severityNVD Advisory· Published Dec 9, 2025· Updated Dec 9, 2025

Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider

CVE-2025-66491

Description

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/traefik/traefik/v3Go
>= 3.5.0, < 3.6.33.6.3

Affected products

6

Patches

Vulnerability mechanics

References

5

News mentions

1