Skip to content

Commit aa9beaa

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-7vww-mvcr-x6vj GHSA-gm3x-23wp-hc2c
1 parent d7e21b9 commit aa9beaa

File tree

2 files changed

+177
-0
lines changed

2 files changed

+177
-0
lines changed

advisories/github-reviewed/2025/12/GHSA-7vww-mvcr-x6vj/GHSA-7vww-mvcr-x6vj.json

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-7vww-mvcr-x6vj",
4+
"modified": "2025-12-08T16:43:07Z",
5+
"published": "2025-12-08T16:43:06Z",
6+
"aliases": [
7+
"CVE-2025-66491"
8+
],
9+
"summary": "Traefik Inverted TLS Verification Logic in ingress-nginx Provider",
10+
"details": "## Impact\n\nThere is a potential vulnerability in Traefik NGINX provider managing the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation.\n\nThe provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `\"on\"` (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v3.6.3\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n<details>\n<summary>Original Description</summary>\n\n### Summary\n\nA logic error in Traefik's experimental ingress-nginx provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `\"on\"` (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.\n\n### Details\n\nIn `pkg/provider/kubernetes/ingress-nginx/kubernetes.go` at line 512, the `InsecureSkipVerify` field is set using inverted logic:\n\n```go\nnst := &namedServersTransport{\n Name: provider.Normalize(namespace + \"-\" + name),\n ServersTransport: &dynamic.ServersTransport{\n ServerName: ptr.Deref(cfg.ProxySSLName, ptr.Deref(cfg.ProxySSLServerName, \"\")),\n InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, \"off\")) == \"on\",\n },\n}\n```\n\nThe expression `== \"on\"` evaluates to `true` when the annotation is `\"on\"`, setting `InsecureSkipVerify: true`. In Go's `crypto/tls`, `InsecureSkipVerify: true` means \"do not verify the server's certificate\" — the opposite of what `proxy-ssl-verify: \"on\"` should do according to NGINX semantics.\n\n**Current behavior:**\n| Annotation Value | InsecureSkipVerify | Actual Result |\n|------------------|-------------------|---------------|\n| `\"on\"` | `true` | Verification **disabled** ❌ |\n| `\"off\"` (default) | `false` | Verification **enabled** |\n\n**Expected behavior (per NGINX semantics):**\n| Annotation Value | InsecureSkipVerify | Expected Result |\n|------------------|-------------------|-----------------|\n| `\"on\"` | `false` | Verification **enabled** |\n| `\"off\"` (default) | `true` | Verification **disabled** |\n\nThe test in `pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go` lines 397-403 confirms this inverted behavior is codified as \"expected\":\n\n```go\nServersTransports: map[string]*dynamic.ServersTransport{\n \"default-ingress-with-proxy-ssl\": {\n ServerName: \"whoami.localhost\",\n InsecureSkipVerify: true, // Wrong: should be false when annotation is \"on\"\n RootCAs: []types.FileOrContent{\"-----BEGIN CERTIFICATE-----\"},\n },\n},\n```\n\n**Affected versions:** v3.5.0 through current master (introduced in commit `9bd5c617820f2a8d23b50b68d114bb7bc464eccd`)\n\nPavel Kohout\nAisle Research\n</details>\n\n-",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/traefik/traefik/v3"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "3.5.0"
29+
},
30+
{
31+
"fixed": "3.6.3"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 3.6.2"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4"
49+
},
50+
{
51+
"type": "PACKAGE",
52+
"url": "https://github.com/traefik/traefik"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.3"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-295"
62+
],
63+
"severity": "MODERATE",
64+
"github_reviewed": true,
65+
"github_reviewed_at": "2025-12-08T16:43:06Z",
66+
"nvd_published_at": null
67+
}
68+
}

advisories/github-reviewed/2025/12/GHSA-gm3x-23wp-hc2c/GHSA-gm3x-23wp-hc2c.json

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-gm3x-23wp-hc2c",
4+
"modified": "2025-12-08T16:42:30Z",
5+
"published": "2025-12-08T16:42:30Z",
6+
"aliases": [
7+
"CVE-2025-66490"
8+
],
9+
"summary": "Path Normalization Bypass in Traefik Router + Middleware Rules",
10+
"details": "## Impact\n\nThere is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.\n\nWhen Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set **('/', '\\', 'Null', ';', '?', '#')**, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.\n\n## Example\n\n```yaml\napiVersion: traefik.io/v1alpha1\nkind: IngressRoute\nmetadata:\n name: my-service\nspec:\n routes:\n - match: PathPrefix(‘/admin/’)\n kind: Rule\n services:\n - name: service-a\n port: 8080\n middlewares:\n - name: my-security-middleware\n - match: PathPrefix(‘/’)\n kind: Rule\n services:\n - name: service-a\n port: 8080\n```\n\nIn such a case, the request `http://mydomain.example.com/admin%2F` will reach the backend `service-a` without operating the middleware `my-security-middleware` and passing the security put in place for the `/admin/` path.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.32\n- https://github.com/traefik/traefik/releases/tag/v3.6.4\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n<details>\n<summary>Original Description</summary>### Summary\nA vulnerability exists in Traefik’s path matching logic that allows attackers to bypass access-control middleware (e.g., blocking rules) by using URL-encoded paths. I found this vulnerability while playing PwnSec CTF 2025 with my team @0xL4ugh\n\n### Details\nTraefik evaluates router rules before decoding or normalizing the request path, but forwards the request after decoding to the backend service. As a result, routes meant to block access to sensitive endpoints (such as internal, beta, or admin endpoints) can be trivially bypassed.\n\n### PoC\nTraefik configuration used in this issue :\n```[http.routers.flask-router-report-deny]\n entryPoints = [\"web\"]\n rule = \"PathPrefix(`/report_note`)\"\n priority = 10\n middlewares = [\"block-access\"]\n service = \"flask-service\"\n\n[http.middlewares.block-access.replacePathRegex]\n regex = \".*\"\n replacement = \"/blocked\"\n```\nThe intention is to block all access to /report_note.\n\nHowever, the following request bypasses the block:\n```\nPOST /%2freport_note HTTP/1.1\nHost: localhost:62814\n\n\n```\n### Impact\nAccess Control Bypass:\nAny endpoint intended to be blocked (e.g., admin/debug/beta APIs) can be accessed by URL-encoding slashes or other characters.\n\nThis could lead to:\n\n- Unauthorized access to restricted endpoints\n- Execution of protected internal functionality\n- Potential privilege escalation\n- Bypass of security policies enforced via Traefik routing rules\n</details>",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/traefik/traefik/v3"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "3.6.3"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 3.6.2"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Go",
43+
"name": "github.com/traefik/traefik/v2"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"fixed": "2.11.32"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 2.11.31"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "Go",
65+
"name": "github.com/traefik/traefik"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "0"
73+
},
74+
{
75+
"last_affected": "1.7.34"
76+
}
77+
]
78+
}
79+
]
80+
}
81+
],
82+
"references": [
83+
{
84+
"type": "WEB",
85+
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c"
86+
},
87+
{
88+
"type": "PACKAGE",
89+
"url": "https://github.com/traefik/traefik"
90+
},
91+
{
92+
"type": "WEB",
93+
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.32"
94+
},
95+
{
96+
"type": "WEB",
97+
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.4"
98+
}
99+
],
100+
"database_specific": {
101+
"cwe_ids": [
102+
"CWE-436"
103+
],
104+
"severity": "MODERATE",
105+
"github_reviewed": true,
106+
"github_reviewed_at": "2025-12-08T16:42:30Z",
107+
"nvd_published_at": null
108+
}
109+
}

0 commit comments

Comments
 (0)