Impact
Traefik’s SNICheck validation mishandles wildcard matching of TLSOptions when resolving the TLS options for HTTP Host headers. An attacker can exploit this flaw by completing a TLS handshake with a permissive SNI on the same entrypoint, then sending an HTTP Host header that targets a backend protected by a wildcard‑enforced client‑certificate policy (e.g., Host(*.example.com) with RequireAndVerifyClientCert). The attacker can therefore bypass mutual TLS enforcement and access the protected backend without presenting a client certificate. This is a high‑severity misconfiguration that impacts confidentiality and integrity of resources protected by stricter TLSOptions. The flaw is tracked by CWE-288 and CWE-807 and has been fixed in Traefik version 3.7.3.
Affected Systems
The issue affects Traefik, the HTTP reverse proxy and load balancer, for all releases from version 3.7.0 through 3.7.3 inclusive. Any deployment using a wildcard host rule (e.g., Host(*.example.com)) with stricter TLSOptions such as RequireAndVerifyClientCert is vulnerable unless the software is updated beyond 3.7.3.
Risk and Exploitability
The attacker does not require authentication and can exploit the flaw from any client capable of initiating a TLS handshake on a permissive SNI served by the same entrypoint as the protected router. The exploit path takes advantage of SNICheck’s exact‑match lookup function, which ignores wildcard TLSOptions. As the EPSS score is unavailable, the likelihood of exploitation remains uncertain, but the vulnerability has not been listed in the CISA KEV catalog. Given the CVSS score of 7.8 and the low complexity of the attack—merely choosing an appropriate SNI and HTTP Host header—the threat level is significant, especially for services exposed to untrusted networks.
OpenCVE Enrichment
Github GHSA