CVE-2025-66491

# CVE-2025-66491 PoC - Traefik TLS验证逻辑反转 # 当 proxy-ssl-verify 设置为 "on" 时实际禁用验证 import subprocess import yaml def check_traefik_version(version): """检查Traefik版本是否在受影响范围内""" parts = version.split('.') major = int(parts[0]) minor = int(parts[1]) patch = int(parts[2]) if major == 3 and minor in [5, 6]: if minor == 5 and patch >= 0: return True if minor == 6 and patch <= 2: return True return False def exploit_scenario(): """ 攻击场景演示： 1. 攻击者位于Traefik与后端服务之间 2. Traefik配置了 proxy-ssl-verify: "on" 3. 由于逻辑反转，TLS验证实际被禁用 4. 攻击者可以使用自签名证书拦截流量 """ # 模拟检查Ingress配置 ingress_config = { 'metadata': { 'annotations': { 'nginx.ingress.kubernetes.io/proxy-ssl-verify': 'on' # 意图启用验证 } } } # 验证逻辑应该是：on = 启用，但实际是反的 ssl_verify = ingress_config['metadata']['annotations'].get('proxy-ssl-verify') # 错误的逻辑实现 if ssl_verify == 'on': actual_verification = False # 实际禁用了验证！ else: actual_verification = True print(f"[+] 配置值: proxy-ssl-verify = {ssl_verify}") print(f"[-] 实际验证状态: {'启用' if actual_verification else '禁用'}") print(f"[!] 安全风险: 后端TLS证书验证已禁用，易受MITM攻击") def verify_fix(): """验证修复：升级到3.6.3或更高版本""" current_version = "3.6.2" # 受影响版本 fixed_version = "3.6.3" print(f"[*] 当前版本: {current_version}") print(f"[*] 修复版本: {fixed_version}") print(f"[*] 版本受影响: {check_traefik_version(current_version)}") print(f"[*] 修复版本已修复: {not check_traefik_version(fixed_version)}") if __name__ == "__main__": exploit_scenario() verify_fix()

{"cve": {"id": "CVE-2025-66491", "sourceIdentifier": "[email protected]", "published": "2025-12-09T01:16:55.720", "lastModified": "2026-01-02T21:12:07.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to \"on\" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.6.3", "matchCriteriaId": "C2211A70-8944-46AA-B318-B3669174DBCE"}]}]}], "references": [{"url": "https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}