Containous Traefik
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Containous Traefik.
By the Year
In 2026 there have been 0 vulnerabilities in Containous Traefik. Traefik did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 7.50 |
| 2021 | 1 | 5.30 |
| 2020 | 3 | 4.70 |
| 2019 | 1 | 0.00 |
| 2018 | 1 | 0.00 |
It may take a day or so for new Traefik vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Containous Traefik Security Vulnerabilities
Traefik <2.9.0-rc5: HTTP/2 Close Hang DoS
CVE-2022-39271
7.5 - High
- October 11, 2022
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.
Improper Handling of Exceptional Conditions
Traefik before 2.4.5
CVE-2021-27375
5.3 - Medium
- February 18, 2021
Traefik before 2.4.5 allows the loading of IFRAME elements from other domains.
Clickjacking
In Traefik before versions 1.7.26
CVE-2020-15129
4.7 - Medium
- July 30, 2020
In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
Open Redirect
Traefik 2.x, in certain configurations
CVE-2019-20894
- July 02, 2020
Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred.
configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents
CVE-2020-9321
- March 16, 2020
configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation)
CVE-2019-12452
- May 29, 2019
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.
Containous Traefik 1.6.x before 1.6.6
CVE-2018-15598
- August 21, 2018
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Containous Traefik or by Containous? Click the Watch button to subscribe.
