7.5
CVSS V3
Traefik vulnerable to denial of service with Content-length header
There is a potential vulnerability in Traefik managing requests with Content-length
and no body
.
Sending a GET
request to any Traefik endpoint with the Content-length
request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.
For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
If you have any questions or comments about this advisory, please open an issue.