Is Traefik vulnerable to CVE-2023-44487?

I use Traefik 2.x as the Ingress Controller for my production K8s cluster. Therefore, I'd like to know if it's vulnerable to CVE-2023-44487 or not.

Thanks for your reply :slight_smile:


Can we also have a comment on Traefik 1.7 regarding CVE-2023-44487

1 Like

Hello @trinhpham, @blanebramble,

Thanks for reaching out.

We are currently working on a fix for Traefik v2.10, we'll keep you updated about it once the new version is available.

As Traefik v1 is not maintained anymore, we haven't planned to bring the fix to Traefik v1.7.
You can find the list of the supported versions in the documentation.

1 Like

Hello @nicomengin,

Thanks for keeping us updated.

Since this vulnerability has had a far reaching impact all around (Cloudflare, Google and AWS were affected) and the fix for Traefik is still to be relased, could you provide some guidance in the meanwhile on how to workdaround/mitigate this vulnerability?

Hi @trinhpham @blanebramble and @js285

New versions of Traefik v2.10 and v3-beta are available on GitHub.

1 Like

Hi svx,

Neither of the v2.10.5 nor the v3 beta4 release notes mention fix for the CVE, can you please confirm that the fix was included in v2.10.5 (released yesterday), pointer to the commit addressing this would be super helpful.


The fix is included in the 2 versions (v2.10.5 and v3.0.0-beta4).

1 Like

Thanks all for swift response and fix for this vulnerability. Amazing work.

1 Like

Hello @jokke,

Thanks for reaching out, we have updated both changelogs to add this information.
Moreover, we have published a topic summarizing the actions done to fix the CVEs.

I was unable to pinpoint the actual fix in changeset so I could try to port it to traefik 1.x. Is it included in golang libraries and we'd only need to rebuild 1.x or there's some actual handling somewhere in the code?

Hi @Jancis , thanks for your interest in Traefik!

You can find the PR with the related changes on GitHub.

As a reminder, Traefik v1 is EOL, you can find more information about supported versions on the release overview page.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.