CVE-2025-66491 MEDIUM

CVE-2025-66491: Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider

Vendor Traefik

Product traefik

Weakness CWE-295

Published December 9, 2025

Last update December 9, 2025

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3.

Key dates

Disclosure timeline

December 9, 2025 CVE published

December 9, 2025 Record updated