fix(deps): update module github.com/traefik/traefik/v2 to v2.11.42 [security]#555
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
fix(deps): update module github.com/traefik/traefik/v2 to v2.11.42 [security]#555renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.11.41→v2.11.42GitHub Vulnerability Alerts
CVE-2026-33433
Summary
There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when
headerFieldis configured with a non-canonical HTTP header name.An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any identity to the backend. Because Traefik writes the authenticated username using a non-canonical map key, it creates a separate header entry rather than overwriting the attacker's canonical one — causing most backend frameworks to read the attacker-controlled value instead.
Patches
For more information
If there are any questions or comments about this advisory, please open an issue.
Original Description
Summary
When
headerFieldis configured with a non-canonical HTTP header name (e.g.,x-auth-userinstead ofX-Auth-User), an authenticated attacker can inject a canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write.Tested on Traefik v3.6.10.
Details
At
pkg/middlewares/auth/basic_auth.go:92, the authenticated username is written using direct map assignment:Go's
http.Headermap is keyed by canonical names (e.g.,X-Auth-User). Direct assignment with a non-canonical key (x-auth-user) creates a separate map entry from any canonical-key entry already present. The attacker'sX-Auth-User: superadminoccupies the canonical slot and is never overwritten by Traefik's non-canonical write.The same bug exists in
pkg/middlewares/auth/digest_auth.go:100. Notably,forward.go:254correctly useshttp.CanonicalHeaderKey(), showing the fix pattern already exists in the codebase.PoC
Traefik config (YAML, Docker labels, or REST API):
Normal request (baseline):
Attack request:
Control test — when
headerFielduses canonical casing (X-Auth-User), the attack fails. Traefik's write correctly overwrites the attacker's header.This is realistic because YAML conventions favor lowercase keys, Traefik docs don't warn about canonicalization, and the pattern of backends trusting the
headerFieldheader is recommended in Traefik's own documentation.Fix suggestion:
Also strip any incoming
headerFieldheader before the auth check withreq.Header.Del(b.headerField).Impact
An authenticated attacker with valid credentials (even low-privilege) can impersonate any other user identity to backend services. If backends use the
headerFieldheader for authorization decisions (which is the intended use case per Traefik docs), this enables privilege escalation — e.g., a regular user impersonating an admin.The attack requires the operator to configure
headerFieldwith a non-canonical header name, which is the natural thing to do in YAML and is not warned against in documentation.GHSA-46wh-3698-f2cx
Summary
There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).
A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2
:pathpseudo-header omitting the mandatory leading slash (e.g.,Service/Methodinstead of/Service/Method). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match "deny" rules, allowing the request to bypass the policy entirely if a fallback "allow" rule is present.Patches
For more information
If there are any questions or comments about this advisory, please open an issue.
Original Description
Summary
This CVE hits traefik until Version 3.6.11 and 2.11.41.
gRPC-Go has an authorization bypass via missing leading slash in :path
Details
As described in GHSA-p77j-4mvh-x3m3
PoC
Update library version in
https://github.com/traefik/traefik/blob/67c64ed9b25fbb90f1086977a62827133a7aa01b/go.mod#L108
Impact
Is described in GHSA-p77j-4mvh-x3m3
Release Notes
traefik/traefik (github.com/traefik/traefik/v2)
v2.11.42Compare Source
All Commits
Bug fixes:
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.