Traefik Connection Header Vulnerability Allows Bypassing X-Forwarded Header Protection

A vulnerability exists in Traefik, an HTTP reverse proxy and load balancer, in versions 2.11.9 prior to 2.11.37 and 3.1.3 prior to 3.6.8. The issue arises in how Traefik manages the Connection header in relation to X-Forwarded headers. When processing HTTP/1.1 requests, Traefik's safeguards designed to prevent the removal of X-Forwarded headers it manages (such as X-Real-Ip, X-Forwarded-Host, and X-Forwarded-Port) through the Connection header fail to correctly account for case sensitivity. This flaw allows a remote unauthenticated client to use lowercase Connection tokens to bypass the protection and remove Traefik-managed forwarded identity headers. This vulnerability exploits a case-sensitive comparison that incorrectly aligns with the case-insensitive deletion process, leading to potential impacts on downstream services that rely on these headers for critical functions like authentication, authorization, routing, or scheme decisions.

Impact

Exploitation of this vulnerability allows for the unauthorized removal of X-Forwarded headers managed by Traefik, which could disrupt services that depend on these headers for identity forwarding and related decisions.

Remediation

Users can upgrade to Traefik versions 2.11.38 or 3.6.9 to address this vulnerability.