CVE-2026-25949
Impact
There is a potential vulnerability in Traefik managing STARTTLS requests.
An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service.
Patches
- https://github.com/traefik/traefik/releases/tag/v3.6.8
For more information
If you have any questions or comments about this advisory, please open an issue.
<details>
<summary>Original Description</summary>
Summary
A remote, unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely and enabling file-descriptor and goroutine exhaustion denial of service.
This triggers during protocol detection before routing, so it is reachable on an entrypoint even when no Postgres/TCP routers are configured (the PoC uses only an HTTP router).
Details
Traefik applies per-connection deadlines based on entryPoints.<name>.transport.respondingTimeouts.readTimeout to prevent protocol detection and request reads from blocking forever (see pkg/server/server_entrypoint_tcp.go, which sets SetReadDeadline on accepted connections).
However, in the TCP router protocol detection path (pkg/server/router/tcp/router.go), when Traefik detects the Postgres STARTTLS signature on a new connection, it executes a fast-path that clears deadlines:
- detect Postgres SSLRequest (8-byte signature),
- call conn.SetDeadline(time.Time{}) (clears all deadlines),
- then enter the Postgres STARTTLS handler (servePostgres).
The Postgres handler (pkg/server/router/tcp/postgres.go) then blocks waiting for a TLS ClientHello via the same peeking logic used elsewhere (clientHelloInfo(br)), but with deadlines removed. An attacker can therefore:
1. connect to any internet-exposed TCP entrypoint,
2. send the Postgres SSLReques
⚡ Watch CVE-2026-25949
Get an email if CVE-2026-25949 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.71% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 49% of all EPSS-scored CVEs.
Advisory coverage (1)
- highGHSA-89p3-4642-cr2w: Traefik: TCP readTimeout bypass via STARTTLS on Postgresghsa · 2026-02-12
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-25949)