VYPR

apk package

chainguard/traefik-3.5

pkg:apk/chainguard/traefik-3.5

Vulnerabilities (15)

  • CVE-2026-32595Mar 20, 2026
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt passwor

  • CVE-2026-32305Mar 20, 2026
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across m

  • CVE-2026-29054Mar 5, 2026
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put

  • CVE-2026-26999Mar 5, 2026
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing

  • CVE-2026-26998Mar 5, 2026
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentic

  • CVE-2026-25949Feb 12, 2026
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS

  • CVE-2026-22045Jan 15, 2026
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors inde

  • CVE-2025-64702Dec 11, 2025
    affected < 3.5.6-r4fixed 3.5.6-r4

    quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (man

  • CVE-2025-66491Dec 9, 2025
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually

  • CVE-2025-66490Dec 9, 2025
    affected < 3.5.6-r6fixed 3.5.6-r6

    Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted chara

  • CVE-2025-47914Nov 19, 2025
    affected < 3.5.6-r2fixed 3.5.6-r2

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 0fixed 0

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-59530HigOct 10, 2025
    affected < 3.5.3-r1fixed 3.5.3-r1

    quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requir

  • CVE-2025-54799LowAug 7, 2025
    affected < 3.5.0-r1fixed 3.5.0-r1

    Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which

  • CVE-2025-54410Jul 30, 2025
    affected < 3.5.6-r1fixed 3.5.6-r1

    Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail