Description
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.
Published: 2026-06-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traefik before 2.10.5 and 3.0.0-beta4 is vulnerable to a denial‑of‑service condition in its HTTP/2 implementation. A remote attacker can rapidly create and cancel HTTP/2 streams, exhausting server resources and causing service unavailability. This flaw originates from the Go standard library's HTTP/2 code and is linked to CVE‑2023‑44487 and CVE‑2023‑39325.

Affected Systems

The affected product is Traefik, the reverse‑proxy component built in Go. Any installation of Traefik prior to version 2.10.5 or before the 3.0.0‑beta4 release runs the risk of this vulnerability.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. EPSS data is unavailable. The description states that the attack can be launched from any machine that can establish an HTTP/2 connection to the target. Based on the description, it is inferred that the attack could be performed at low cost, but this inference is not directly stated in the advisory. The flaw is not yet listed in the CISA KEV catalog, yet the straightforward exploitation method and inferred low cost of attack suggest a significant availability risk.

Generated by OpenCVE AI on June 23, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Traefik 2.10.5 or any later 3.x release to apply the official fix for the HTTP/2 stream exhaustion flaw.
  • If an immediate upgrade is not possible, configure Traefik to disable HTTP/2 or reduce the maximum number of concurrent streams (e.g., set maxConcurrentStreams to a lower value) so that resource consumption is bounded.
  • Continuously monitor server metrics for sudden increases in HTTP/2 stream counts or CPU/memory usage and apply rate‑limiting or firewall rules to block suspicious traffic patterns.

Generated by OpenCVE AI on June 23, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Traefik traefik
Vendors & Products Traefik traefik

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.
Title Traefik - Denial of Service via HTTP/2 Request Handling
First Time appeared Traefik
Traefik traefik Enterprise
Weaknesses CWE-400
CPEs cpe:2.3:a:traefik:traefik_enterprise:*:*:*:*:*:*:*:*
Vendors & Products Traefik
Traefik traefik Enterprise
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Traefik Traefik Traefik Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T18:13:51.614Z

Reserved: 2026-06-22T21:54:30.246Z

Link: CVE-2023-54365

cve-icon Vulnrichment

Updated: 2026-06-23T18:13:47.410Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:25Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption