7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-28869

GHSA ID

GHSA-4vwx-54mw-vqfw

EPSS Score

0.30157%

CWE

CWE-404

Published

4/12/2024

Updated

4/15/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-28869

CVE-2024-28869: Traefik vulnerable to denial of service with Content-length header

There is a potential vulnerability in Traefik managing requests with Content-length and no body .

Sending a GET request to any Traefik endpoint with the Content-length request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.2
https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5

Workarounds

For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

For more information

If you have any questions or comments about this advisory, please open an issue.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-28869

GHSA ID

GHSA-4vwx-54mw-vqfw

EPSS Score

0.30157%

CWE

CWE-404

Published

4/12/2024

Updated

4/15/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/traefik/traefik/v3	go	>= 3.0.0-beta3, <= 3.0.0-rc4	3.0.0-rc5
github.com/traefik/traefik/v2	go	<= 2.11.1	2.11.2
github.com/traefik/traefik	go	<= 2.11.1	2.11.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of requests with Content-Length headers and no body, causing Traefik to wait indefinitely. The patch explicitly changes the DefaultReadTimeout from 5s to 60s in static_config.go, indicating this configuration value directly influenced the timeout behavior. The CWE-404 (resource shutdown failure) and CWE-755 (exceptional condition mishandling) align with the lack of proper timeout enforcement. While no specific request-handling function is named in the provided data, the DefaultReadTimeout constant's role in configuring server timeouts makes it the clearest vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * pot*nti*l vuln*r**ility in Tr***ik m*n**in* r*qu*sts wit* `*ont*nt-l*n*t*` *n* no `*o*y` . S*n*in* * `**T` r*qu*st to *ny Tr***ik *n*point wit* t** `*ont*nt-l*n*t*` r*qu*st *****r r*sults in *n in***init* **n* wit* t** ****ult *on*i*ur*ti

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* r*qu*sts wit* *ont*nt-L*n*t* *****rs *n* no *o*y, **usin* Tr***ik to w*it in***init*ly. T** p*t** *xpli*itly ***n**s t** `****ultR***Tim*out` *rom *s to **s in `st*ti*_*on*i*.*o`, in*i**tin* t*is *on*

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-28869: Traefik vulnerable to denial of service with Content-length header

Patches

Workarounds

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI