{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66491", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-02T22:44:04.707Z", "datePublished": "2025-12-09T00:38:39.208Z", "dateUpdated": "2025-12-09T16:03:28.511Z"}, "containers": {"cna": {"title": "Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"}, {"name": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.3"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": ">= 3.5.0, < 3.6.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-09T00:38:39.208Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \"on\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3."}], "source": {"advisory": "GHSA-7vww-mvcr-x6vj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-09T14:17:29.439457Z", "id": "CVE-2025-66491", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T16:03:28.511Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66491", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-09T14:17:29.439457Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T14:17:32.518Z"}}], "cna": {"title": "Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider", "source": {"advisory": "GHSA-7vww-mvcr-x6vj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": ">= 3.5.0, < 3.6.3"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4", "name": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.3", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \"on\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-09T00:38:39.208Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66491", "state": "PUBLISHED", "dateUpdated": "2025-12-09T16:03:28.511Z", "dateReserved": "2025-12-02T22:44:04.707Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-09T00:38:39.208Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \"on\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3."}], "id": "CVE-2025-66491", "lastModified": "2025-12-09T18:37:13.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-12-09T01:16:55.720", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v3.6.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/traefik/traefik: Traefik has Inverted TLS Verification Logic in its ingress-nginx Provider", "id": "2420303", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420303"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \"on\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-66491", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2025-12-09T00:38:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-66491\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-66491\nhttps://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4\nhttps://github.com/traefik/traefik/releases/tag/v3.6.3\nhttps://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj"], "threat_severity": "Moderate"}