cvelistv5 - CVE-2025-66491

CVE-2025-66491 (GCVE-0-2025-66491)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:38 – Updated: 2025-12-09 16:03

Summary

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-295 - Improper Certificate Validation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/traefik/traefik/security/advis…	x_refsource_CONFIRM
	https://github.com/traefik/traefik/commit/14a1aed…	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v3.6.3	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	traefik	traefik	Affected: >= 3.5.0, < 3.6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66491",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-09T14:17:29.439457Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-09T16:03:28.511Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.5.0, \u003c 3.6.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \"on\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:38:39.208Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"
        },
        {
          "name": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4"
        },
        {
          "name": "https://github.com/traefik/traefik/releases/tag/v3.6.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v3.6.3"
        }
      ],
      "source": {
        "advisory": "GHSA-7vww-mvcr-x6vj",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66491",
    "datePublished": "2025-12-09T00:38:39.208Z",
    "dateReserved": "2025-12-02T22:44:04.707Z",
    "dateUpdated": "2025-12-09T16:03:28.511Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-66491\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-09T01:16:55.720\",\"lastModified\":\"2025-12-09T18:37:13.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \\\"on\\\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"references\":[{\"url\":\"https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v3.6.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66491\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-09T14:17:29.439457Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-09T14:17:32.518Z\"}}], \"cna\": {\"title\": \"Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider\", \"source\": {\"advisory\": \"GHSA-7vww-mvcr-x6vj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"traefik\", \"product\": \"traefik\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.5.0, \u003c 3.6.3\"}]}], \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4\", \"name\": \"https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v3.6.3\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v3.6.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \\\"on\\\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295: Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-09T00:38:39.208Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-66491\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-09T16:03:28.511Z\", \"dateReserved\": \"2025-12-02T22:44:04.707Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-09T00:38:39.208Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2025-AVI-1077

Vulnerability from certfr_avis - Published: 2025-12-08 - Updated: 2025-12-08

De multiples vulnérabilités ont été découvertes dans Traefik. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

Le CERT-FR a connaissance d'une preuve de concept publique pour la vulnérabilité CVE-2025-66490.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Traefik	Traefik	Traefik versions 3.5.x et 3.6.x antérieures à v3.6.3
	Traefik	Traefik	Traefik versions antérieures à v2.11.32

References

Title

Publication Time

Tags

Bulletin de sécurité Traefik GHSA-gm3x-23wp-hc2c	2025-12-08	vendor-advisory
Bulletin de sécurité Traefik GHSA-7vww-mvcr-x6vj	2025-12-08	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Traefik versions 3.5.x et 3.6.x ant\u00e9rieures \u00e0 v3.6.3",
      "product": {
        "name": "Traefik",
        "vendor": {
          "name": "Traefik",
          "scada": false
        }
      }
    },
    {
      "description": "Traefik versions ant\u00e9rieures \u00e0 v2.11.32",
      "product": {
        "name": "Traefik",
        "vendor": {
          "name": "Traefik",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-66490",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66490"
    },
    {
      "name": "CVE-2025-66491",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66491"
    }
  ],
  "initial_release_date": "2025-12-08T00:00:00",
  "last_revision_date": "2025-12-08T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-1077",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-12-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Traefik. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.\n\nLe CERT-FR a connaissance d\u0027une preuve de concept publique pour la vuln\u00e9rabilit\u00e9 CVE-2025-66490.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Traefik",
  "vendor_advisories": [
    {
      "published_at": "2025-12-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-gm3x-23wp-hc2c",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c"
    },
    {
      "published_at": "2025-12-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-7vww-mvcr-x6vj",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"
    }
  ]
}

CERTFR-2025-AVI-1077

Vulnerability from certfr_avis - Published: 2025-12-08 - Updated: 2025-12-08

Le CERT-FR a connaissance d'une preuve de concept publique pour la vulnérabilité CVE-2025-66490.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Traefik	Traefik	Traefik versions 3.5.x et 3.6.x antérieures à v3.6.3
	Traefik	Traefik	Traefik versions antérieures à v2.11.32

References

Title

Publication Time

Tags

Bulletin de sécurité Traefik GHSA-gm3x-23wp-hc2c	2025-12-08	vendor-advisory
Bulletin de sécurité Traefik GHSA-7vww-mvcr-x6vj	2025-12-08	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Traefik versions 3.5.x et 3.6.x ant\u00e9rieures \u00e0 v3.6.3",
      "product": {
        "name": "Traefik",
        "vendor": {
          "name": "Traefik",
          "scada": false
        }
      }
    },
    {
      "description": "Traefik versions ant\u00e9rieures \u00e0 v2.11.32",
      "product": {
        "name": "Traefik",
        "vendor": {
          "name": "Traefik",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-66490",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66490"
    },
    {
      "name": "CVE-2025-66491",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-66491"
    }
  ],
  "initial_release_date": "2025-12-08T00:00:00",
  "last_revision_date": "2025-12-08T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-1077",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-12-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Traefik. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.\n\nLe CERT-FR a connaissance d\u0027une preuve de concept publique pour la vuln\u00e9rabilit\u00e9 CVE-2025-66490.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Traefik",
  "vendor_advisories": [
    {
      "published_at": "2025-12-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-gm3x-23wp-hc2c",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c"
    },
    {
      "published_at": "2025-12-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Traefik GHSA-7vww-mvcr-x6vj",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"
    }
  ]
}

FKIE_CVE-2025-66491

Vulnerability from fkie_nvd - Published: 2025-12-09 01:16 - Updated: 2025-12-09 18:37

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.6.3
	security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \"on\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3."
    }
  ],
  "id": "CVE-2025-66491",
  "lastModified": "2025-12-09T18:37:13.640",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-09T01:16:55.720",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-7VWW-MVCR-X6VJ

Vulnerability from github – Published: 2025-12-08 16:43 – Updated: 2025-12-09 16:32

Summary

Traefik Inverted TLS Verification Logic in ingress-nginx Provider

Details

Impact

There is a potential vulnerability in Traefik NGINX provider managing the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation.

The provider inverts the semantics of the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.

Patches

https://github.com/traefik/traefik/releases/tag/v3.6.3

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary A logic error in Traefik's experimental ingress-nginx provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `"on"` (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. ### Details In `pkg/provider/kubernetes/ingress-nginx/kubernetes.go` at line 512, the `InsecureSkipVerify` field is set using inverted logic:

nst := &namedServersTransport{
    Name: provider.Normalize(namespace + "-" + name),
    ServersTransport: &dynamic.ServersTransport{
        ServerName:         ptr.Deref(cfg.ProxySSLName, ptr.Deref(cfg.ProxySSLServerName, "")),
        InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, "off")) == "on",
    },
}

The expression `== "on"` evaluates to `true` when the annotation is `"on"`, setting `InsecureSkipVerify: true`. In Go's `crypto/tls`, `InsecureSkipVerify: true` means "do not verify the server's certificate" — the opposite of what `proxy-ssl-verify: "on"` should do according to NGINX semantics. **Current behavior:** | Annotation Value | InsecureSkipVerify | Actual Result | |------------------|-------------------|---------------| | `"on"` | `true` | Verification **disabled** ❌ | | `"off"` (default) | `false` | Verification **enabled** | **Expected behavior (per NGINX semantics):** | Annotation Value | InsecureSkipVerify | Expected Result | |------------------|-------------------|-----------------| | `"on"` | `false` | Verification **enabled** | | `"off"` (default) | `true` | Verification **disabled** | The test in `pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go` lines 397-403 confirms this inverted behavior is codified as "expected":

ServersTransports: map[string]*dynamic.ServersTransport{
    "default-ingress-with-proxy-ssl": {
        ServerName:         "whoami.localhost",
        InsecureSkipVerify: true,  // Wrong: should be false when annotation is "on"
        RootCAs:            []types.FileOrContent{"-----BEGIN CERTIFICATE-----"},
    },
},

**Affected versions:** v3.5.0 through current master (introduced in commit `9bd5c617820f2a8d23b50b68d114bb7bc464eccd`) Pavel Kohout Aisle Research

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "3.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-08T16:43:06Z",
    "nvd_published_at": "2025-12-09T01:16:55Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nThere is a potential vulnerability in Traefik NGINX provider managing the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation.\n\nThe provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `\"on\"` (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v3.6.3\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\n\nA logic error in Traefik\u0027s experimental ingress-nginx provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `\"on\"` (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.\n\n### Details\n\nIn `pkg/provider/kubernetes/ingress-nginx/kubernetes.go` at line 512, the `InsecureSkipVerify` field is set using inverted logic:\n\n```go\nnst := \u0026namedServersTransport{\n    Name: provider.Normalize(namespace + \"-\" + name),\n    ServersTransport: \u0026dynamic.ServersTransport{\n        ServerName:         ptr.Deref(cfg.ProxySSLName, ptr.Deref(cfg.ProxySSLServerName, \"\")),\n        InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, \"off\")) == \"on\",\n    },\n}\n```\n\nThe expression `== \"on\"` evaluates to `true` when the annotation is `\"on\"`, setting `InsecureSkipVerify: true`. In Go\u0027s `crypto/tls`, `InsecureSkipVerify: true` means \"do not verify the server\u0027s certificate\" \u2014 the opposite of what `proxy-ssl-verify: \"on\"` should do according to NGINX semantics.\n\n**Current behavior:**\n| Annotation Value | InsecureSkipVerify | Actual Result |\n|------------------|-------------------|---------------|\n| `\"on\"` | `true` | Verification **disabled** \u274c |\n| `\"off\"` (default) | `false` | Verification **enabled** |\n\n**Expected behavior (per NGINX semantics):**\n| Annotation Value | InsecureSkipVerify | Expected Result |\n|------------------|-------------------|-----------------|\n| `\"on\"` | `false` | Verification **enabled** |\n| `\"off\"` (default) | `true` | Verification **disabled** |\n\nThe test in `pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go` lines 397-403 confirms this inverted behavior is codified as \"expected\":\n\n```go\nServersTransports: map[string]*dynamic.ServersTransport{\n    \"default-ingress-with-proxy-ssl\": {\n        ServerName:         \"whoami.localhost\",\n        InsecureSkipVerify: true,  // Wrong: should be false when annotation is \"on\"\n        RootCAs:            []types.FileOrContent{\"-----BEGIN CERTIFICATE-----\"},\n    },\n},\n```\n\n**Affected versions:** v3.5.0 through current master (introduced in commit `9bd5c617820f2a8d23b50b68d114bb7bc464eccd`)\n\nPavel Kohout\nAisle Research\n\u003c/details\u003e\n\n-",
  "id": "GHSA-7vww-mvcr-x6vj",
  "modified": "2025-12-09T16:32:29Z",
  "published": "2025-12-08T16:43:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66491"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik Inverted TLS Verification Logic in ingress-nginx Provider"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-66491 (GCVE-0-2025-66491)

CERTFR-2025-AVI-1077

Solutions

CERTFR-2025-AVI-1077

Solutions

FKIE_CVE-2025-66491

GHSA-7VWW-MVCR-X6VJ

Impact

Patches

For more information

Tags

Sightings

Nomenclature