-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability exists in the handling of ACME TLS-ALPN challenges in Traefik. The analysis of the provided patch commit e9f3089e9045812bcf1b410a9d40568917b26c3d pinpoints the issue to the pkg/server/router/tcp/router.go file. The function acmeTLSALPNHandler creates a tcp.HandlerFunc to handle the TLS handshake for the acme-tls/1 protocol. The original implementation of this handler called tls.Server(...).Handshake() without setting any deadlines. This allows a malicious client to connect, send a minimal ClientHello indicating acme-tls/1, and then stop responding. The server-side goroutine and file descriptor would then be tied up indefinitely, leading to a denial-of-service vulnerability through resource exhaustion. The patch mitigates this by wrapping the Handshake() call in a HandshakeContext with a 2-second timeout and ensuring the connection is closed afterwards. The primary vulnerable function is the anonymous function within acmeTLSALPNHandler, which would appear in a Go profiler as (*Router).acmeTLSALPNHandler.func1. The parent function acmeTLSALPNHandler is also included as it is responsible for creating this vulnerable handler.
(*Router).acmeTLSALPNHandler.func1pkg/server/router/tcp/router.go
(*Router).acmeTLSALPNHandlerpkg/server/router/tcp/router.go
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/traefik/traefik/v3 | go | <= 3.6.6 | 3.6.7 |
| github.com/traefik/traefik/v2 | go | <= 2.11.34 | 2.11.35 |