Inverted TLS Verification Logic in Traefik HTTP Reverse Proxy
CVE-2025-66491

5.9MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
9 December 2025

What is CVE-2025-66491?

Traefik, an HTTP reverse proxy and load balancer, has a critical vulnerability due to inverted TLS verification logic present in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. When set to 'on' to enable backend TLS certificate verification, it instead disables the verification process. This misconfiguration exposes users to potential man-in-the-middle attacks, compromising the security of HTTPS backend communications. The issue is resolved in Traefik version 3.6.3, which corrects this configuration error, ensuring that operators can securely verify backend TLS certificates.

Affected Version(s)

traefik >= 3.5.0, < 3.6.3

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/commit/14a1aedf5704673...
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.3
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.