CVE-2024-28869

Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts	Product
https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6	Patch
https://github.com/traefik/traefik/releases/tag/v2.11.2	Release Notes
https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5	Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw	Patch Vendor Advisory
https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts	Product
https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6	Patch
https://github.com/traefik/traefik/releases/tag/v2.11.2	Release Notes
https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5	Release Notes
https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik:3.0.0:-::::::
	cpe:2.3:a:traefik:traefik:3.0.0:beta1::::::
	cpe:2.3:a:traefik:traefik:3.0.0:beta2::::::
	cpe:2.3:a:traefik:traefik:3.0.0:beta3::::::
	cpe:2.3:a:traefik:traefik:3.0.0:beta4::::::
	cpe:2.3:a:traefik:traefik:3.0.0:beta5::::::
	cpe:2.3:a:traefik:traefik:3.0.0:rc1::::::
	cpe:2.3:a:traefik:traefik:3.0.0:rc2::::::
	cpe:2.3:a:traefik:traefik:3.0.0:rc3::::::
	cpe:2.3:a:traefik:traefik:3.0.0:rc4::::::

History

26 Nov 2025, 13:12

Type	Values Removed	Values Added
First Time		Traefik Traefik traefik
CPE		cpe:2.3:a:traefik:traefik:3.0.0:rc4:::::: cpe:2.3:a:traefik:traefik:::::::: cpe:2.3:a:traefik:traefik:3.0.0:beta5:::::: cpe:2.3:a:traefik:traefik:3.0.0:-:::::: cpe:2.3:a:traefik:traefik:3.0.0:beta3:::::: cpe:2.3:a:traefik:traefik:3.0.0:rc3:::::: cpe:2.3:a:traefik:traefik:3.0.0:rc1:::::: cpe:2.3:a:traefik:traefik:3.0.0:beta1:::::: cpe:2.3:a:traefik:traefik:3.0.0:rc2:::::: cpe:2.3:a:traefik:traefik:3.0.0:beta2:::::: cpe:2.3:a:traefik:traefik:3.0.0:beta4::::::
References	~~() https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts -~~	() https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts - Product
References	~~() https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6 -~~	() https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6 - Patch
References	~~() https://github.com/traefik/traefik/releases/tag/v2.11.2 -~~	() https://github.com/traefik/traefik/releases/tag/v2.11.2 - Release Notes
References	~~() https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5 -~~	() https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5 - Release Notes
References	~~() https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw -~~	() https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw - Patch, Vendor Advisory

Information

Published : 2024-04-12 22:15

Updated : 2025-11-26 13:12

NVD link : CVE-2024-28869

Mitre link : CVE-2024-28869

CVE.ORG link : CVE-2024-28869

JSON object : View

Products Affected

traefik

traefik

CWE

CWE-755

Improper Handling of Exceptional Conditions

7.5 /10