Vulnerability Description
Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Traefik | Traefik | >= 3.5.0, < 3.6.3 |
Related Weaknesses (CWE)
References
- https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77Patch
- https://github.com/traefik/traefik/releases/tag/v3.6.3Release Notes
- https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vjPatchVendor Advisory
FAQ
What is CVE-2025-66491?
CVE-2025-66491 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annota...
How severe is CVE-2025-66491?
CVE-2025-66491 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66491?
Check the references section above for vendor advisories and patch information. Affected products include: Traefik Traefik.