{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25949", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.065Z", "datePublished": "2026-02-12T20:01:19.600Z", "dateUpdated": "2026-02-12T21:16:17.659Z"}, "containers": {"cna": {"title": "Traefik: TCP readTimeout bypass via STARTTLS on Postgres", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"}, {"name": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.6.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.8"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 3.6.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T20:01:19.600Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."}], "source": {"advisory": "GHSA-89p3-4642-cr2w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T20:47:57.313606Z", "id": "CVE-2026-25949", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:16:17.659Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T20:47:57.313606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:15:53.389Z"}}], "cna": {"title": "Traefik: TCP readTimeout bypass via STARTTLS on Postgres", "source": {"advisory": "GHSA-89p3-4642-cr2w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 3.6.8"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678", "name": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.8", "name": "https://github.com/traefik/traefik/releases/tag/v3.6.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T20:01:19.600Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25949", "state": "PUBLISHED", "dateUpdated": "2026-02-12T21:16:17.659Z", "dateReserved": "2026-02-09T17:13:54.065Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T20:01:19.600Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "05ADF4F6-5356-4E37-9CBB-0C5058E249D5", "versionEndExcluding": "3.6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain open indefinitely, leading to a denial of service. This vulnerability is fixed in 3.6.8."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un balanceador de carga. Antes de la versi\u00f3n 3.6.8, existe una posible vulnerabilidad en Traefik al gestionar solicitudes STARTTLS. Un cliente no autenticado puede eludir el respondingTimeouts.readTimeout del punto de entrada de Traefik enviando el pre\u00e1mbulo de 8 bytes de Postgres SSLRequest (STARTTLS) y luego estanc\u00e1ndose, lo que provoca que las conexiones permanezcan abiertas indefinidamente, lo que lleva a una denegaci\u00f3n de servicio. Esta vulnerabilidad se corrige en la versi\u00f3n 3.6.8."}], "id": "CVE-2026-25949", "lastModified": "2026-02-20T18:44:41.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T20:16:11.227", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.6.8"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/traefik/traefik: Traefik: Denial of Service via stalled STARTTLS requests", "id": "2439522", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439522"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["No description is available for this CVE."], "name": "CVE-2026-25949", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-02-12T20:01:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25949\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25949\nhttps://github.com/traefik/traefik/commit/31e566e9f1d7888ccb6fbc18bfed427203c35678\nhttps://github.com/traefik/traefik/releases/tag/v3.6.8\nhttps://github.com/traefik/traefik/security/advisories/GHSA-89p3-4642-cr2w"], "statement": "This is an IMPORTANT denial of service flaw in Traefik, an HTTP reverse proxy and load balancer, affecting Red Hat OpenShift Dev Spaces. An unauthenticated client can exploit this by sending a specific STARTTLS request and then stalling, which bypasses configured read timeouts and causes connections to remain open indefinitely, leading to resource exhaustion.", "threat_severity": "Important"}

{"created": "2026-02-13T21:29:27.479636+00:00", "updated": "2026-02-13T21:29:27.479701+00:00", "vendors": ["traefik", "traefik$PRODUCT$traefik"]}