Primary

Context

Traefik ForwardAuth Middleware Unbounded Response Body Vulnerability Leading to Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Traefik versions prior to 2.11.38 and 3.6.9, specifically within the ForwardAuth middleware. When this middleware is active, Traefik reads the entire response body from the authentication server into memory without any size limitations. The absence of a maxResponseBodySize configuration allows for unrestricted data allocation. If the authentication server sends a large or unbounded response, it can cause Traefik to run out of memory, leading to a process crash. This disruption affects all routes handled by the Traefik instance.

Impact

Exploitation of this vulnerability can cause an out-of-memory condition, crashing the Traefik process and disrupting all routes served by the affected instance.

Remediation

Users can upgrade to Traefik versions 2.11.38 or 3.6.9 to address this vulnerability.

Added: Mar 5, 2026, 7:25 PM

Updated: Mar 5, 2026, 7:47 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

5.0

remediation

7.7

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

5.0

remediation

7.7

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Traefik ForwardAuth Middleware Unbounded Response Body Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

Traefik

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating