Skip to content

Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall

Moderate severity GitHub Reviewed Published Jan 15, 2026 in traefik/traefik • Updated Jan 16, 2026

Package

gomod github.com/traefik/traefik/v2 (Go)

Affected versions

<= 2.11.34

Patched versions

2.11.35
gomod github.com/traefik/traefik/v3 (Go)
<= 3.6.6
3.6.7

Description

Impact

There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.

A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entrypoint.

Patches

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

[Security] ACME TLS-ALPN fast path lacks timeouts and close on handshake stall

Dear Traefik security team,

We believe we have identified a resource-exhaustion issue in the ACME TLS-ALPN fast path that can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.

Summary

  • Affected code: pkg/server/router/tcp/router.go (ACME TLS-ALPN handling).
  • When a ClientHello advertises acme-tls/1, Traefik intercepts it and calls tls.Server(...).Handshake() without any read/write deadlines and without closing the connection afterward.
  • Immediately before this branch, existing deadlines set by the entrypoint are cleared.
  • A client that sends the ALPN marker and then stops responding can keep the goroutine and socket open indefinitely, potentially exhausting the entrypoint under load.
  • Exposure is limited to entrypoints where the ACME TLS-ALPN challenge is enabled and ACME bypass is not allowed.

Relevant snippets

// Deadlines are cleared before protocol dispatch
if err := conn.SetDeadline(time.Time{}); err != nil {
    log.Error().Err(err).Msg("Error while setting deadline")
}

// ACME TLS-ALPN fast path
if !r.acmeTLSPassthrough && slices.Contains(hello.protos, tlsalpn01.ACMETLS1Protocol) {
    r.acmeTLSALPNHandler().ServeTCP(r.GetConn(conn, hello.peeked))
    return
}
// Handler invoked by the branch above
return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
    _ = tls.Server(conn, r.httpsTLSConfig).Handshake()
})

Impact

  • Each stalled handshake consumes a goroutine and FD with no timeout and no server-side close.
  • A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entrypoint.
  • Normal HTTPS handling uses http.Server timeouts; this bespoke path bypasses them.

Conditions for exploitation

  • ACME TLS-ALPN challenge enabled (default when configured).
  • allowACMEByPass disabled for the entrypoint (the default when ACME TLS challenge is handled by Traefik).

CWE

  • CWE-400: Uncontrolled Resource Consumption.

Proposed fix (illustrative)

@@ func (r *Router) acmeTLSALPNHandler() tcp.Handler {
-    return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
-        _ = tls.Server(conn, r.httpsTLSConfig).Handshake()
-    })
+    return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
+        // Ensure the handshake cannot block indefinitely and always closes the socket.
+        _ = conn.SetReadDeadline(time.Now().Add(10 * time.Second))
+        _ = conn.SetWriteDeadline(time.Now().Add(10 * time.Second))
+
+        tlsConn := tls.Server(conn, r.httpsTLSConfig)
+        _ = tlsConn.Handshake()
+        _ = tlsConn.Close() // close regardless of handshake outcome
+    })
 }

Alternatively, route ACME TLS-ALPN through the existing tcp.TLSHandler/HTTP server path so the configured timeouts and lifecycle management apply automatically.

CVSS v3.1 (estimate)

  • Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Base score: 7.5 (High)
  • Rationale: Network-only, no auth/user interaction required; impact is service availability via resource exhaustion; no confidentiality or integrity impact.

Please let us know if you would like a PoC or further details. We have not made any code changes in this report.

Let us know if you have any questions or need clarification!

Best wishes,
Pavel Kohout
Aisle Research

### References - https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq - https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d - https://github.com/traefik/traefik/releases/tag/v2.11.35 - https://github.com/traefik/traefik/releases/tag/v3.6.7 - https://nvd.nist.gov/vuln/detail/CVE-2026-22045
@nmengin nmengin published to traefik/traefik Jan 15, 2026
Published to the GitHub Advisory Database Jan 15, 2026
Reviewed Jan 15, 2026
Published by the National Vulnerability Database Jan 15, 2026
Last updated Jan 16, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(1st percentile)

Weaknesses

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. Learn more on MITRE.

CVE ID

CVE-2026-22045

GHSA ID

GHSA-cwjm-3f7h-9hwq

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.