CVE-2025-66491

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-66491

Severity

5.9

Medium

CVSS V3

Summary

Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider

Description

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

References

https://images.chainguard.dev/security/CGA-fwqr-jf4c-2qqw
https://github.com/advisories/GHSA-7vww-mvcr-x6vj
https://images.chainguard.dev/security/CGA-f84h-vjjm-3w63
https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66491.json
https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4
https://github.com/traefik/traefik/releases/tag/v3.6.3
https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj
https://nvd.nist.gov/vuln/detail/CVE-2025-66491

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-66491

Severity

Summary

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company