FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

traefik -- Inverted TLS Verification Logic in Kubernetes NGINX Provider

Affected packages
traefik < 3.6.3

Details

VuXML ID dc7e30db-de67-11f0-b893-5404a68ad561
Discovery 2025-12-08
Entry 2025-12-21

The traefik project reports:

There is a potential vulnerability in Traefik NGINX provider managing the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. The provider inverts the semantics of the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.

[source]

References

CVE Name CVE-2025-66491
URL https://nvd.nist.gov/vuln/detail/CVE-2025-66491

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.