There is a potential vulnerability in Traefik managing requests with Content-length
and no body
.
Sending a GET
request to any Traefik endpoint with the Content-length
request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.
For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
If you have any questions or comments about this advisory, please open an issue.
{ "nvd_published_at": "2024-04-12T22:15:07Z", "cwe_ids": [ "CWE-404", "CWE-755" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-12T17:05:13Z" }