x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-cwjm-3f7h-9hwq

Advisory [GHSA-cwjm-3f7h-9hwq](https://github.com/advisories/GHSA-cwjm-3f7h-9hwq) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/traefik/traefik](https://pkg.go.dev/github.com/traefik/traefik) |
| [github.com/traefik/traefik/v2](https://pkg.go.dev/github.com/traefik/traefik/v2) |

Description:
## Impact

There is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up goroutines and file descriptors indefinitely when the ACME TLS challenge is enabled.

A malicious client can open many connections, send a minimal ClientHello with `acme-tls/1`, then stop responding, leading to denial of service of the entrypoint.  

## Patches

- https://github.com/traefik/traefik/releases/tag/v2.11.35
- https://github.com/traefik/traefik/releases/tag/v3.6.7

## For more information

If you have any quest...

References:
- ADVISORY: https://github.com/advisories/GHSA-cwjm-3f7h-9hwq
- ADVISORY: https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq
- FIX: https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d
- WEB: https://github.com/traefik/traefik/releases/tag/v2.11.35
- WEB: https://github.com/traefik/traefik/releases/tag/v3.6.7

Cross references:
- github.com/traefik/traefik appears in 26 other report(s):
  - data/excluded/GO-2023-2117.yaml    (https://github.com/golang/vulndb/issues/2117)    DEPENDENT_VULNERABILITY
  - data/reports/GO-2022-0325.yaml    (https://github.com/golang/vulndb/issues/325)
  - data/reports/GO-2022-0808.yaml    (https://github.com/golang/vulndb/issues/808)
  - data/reports/GO-2022-0923.yaml    (https://github.com/golang/vulndb/issues/923)
  - data/reports/GO-2022-1152.yaml    (https://github.com/golang/vulndb/issues/1152)
  - data/reports/GO-2022-1154.yaml    (https://github.com/golang/vulndb/issues/1154)
  - data/reports/GO-2023-1919.yaml    (https://github.com/golang/vulndb/issues/1919)
  - data/reports/GO-2023-1950.yaml    (https://github.com/golang/vulndb/issues/1950)
  - data/reports/GO-2023-2376.yaml    (https://github.com/golang/vulndb/issues/2376)
  - data/reports/GO-2023-2377.yaml    (https://github.com/golang/vulndb/issues/2377)
  - data/reports/GO-2023-2381.yaml    (https://github.com/golang/vulndb/issues/2381)
  - data/reports/GO-2024-2722.yaml    (https://github.com/golang/vulndb/issues/2722)
  - data/reports/GO-2024-2726.yaml    (https://github.com/golang/vulndb/issues/2726)
  - data/reports/GO-2024-2880.yaml    (https://github.com/golang/vulndb/issues/2880)
  - data/reports/GO-2024-2917.yaml    (https://github.com/golang/vulndb/issues/2917)
  - data/reports/GO-2024-2941.yaml    (https://github.com/golang/vulndb/issues/2941)
  - data/reports/GO-2024-2973.yaml    (https://github.com/golang/vulndb/issues/2973)
  - data/reports/GO-2024-3135.yaml    (https://github.com/golang/vulndb/issues/3135)
  - data/reports/GO-2024-3299.yaml    (https://github.com/golang/vulndb/issues/3299)
  - data/reports/GO-2024-3342.yaml    (https://github.com/golang/vulndb/issues/3342)
  - data/reports/GO-2025-3627.yaml    (https://github.com/golang/vulndb/issues/3627)
  - data/reports/GO-2025-3634.yaml    (https://github.com/golang/vulndb/issues/3634)
  - data/reports/GO-2025-3719.yaml    (https://github.com/golang/vulndb/issues/3719)
  - data/reports/GO-2025-3835.yaml    (https://github.com/golang/vulndb/issues/3835)
  - data/reports/GO-2025-4205.yaml    (https://github.com/golang/vulndb/issues/4205)
  - data/reports/GO-2025-4206.yaml    (https://github.com/golang/vulndb/issues/4206)
- github.com/traefik/traefik/v2 appears in 24 other report(s):
  - data/excluded/GO-2022-1057.yaml    (https://github.com/golang/vulndb/issues/1057)    DEPENDENT_VULNERABILITY
  - data/excluded/GO-2023-1715.yaml    (https://github.com/golang/vulndb/issues/1715)    DEPENDENT_VULNERABILITY
  - data/reports/GO-2022-0325.yaml    (https://github.com/golang/vulndb/issues/325)
  - data/reports/GO-2022-0923.yaml    (https://github.com/golang/vulndb/issues/923)
  - data/reports/GO-2022-1152.yaml    (https://github.com/golang/vulndb/issues/1152)
  - data/reports/GO-2022-1154.yaml    (https://github.com/golang/vulndb/issues/1154)
  - data/reports/GO-2023-2376.yaml    (https://github.com/golang/vulndb/issues/2376)
  - data/reports/GO-2023-2377.yaml    (https://github.com/golang/vulndb/issues/2377)
  - data/reports/GO-2023-2381.yaml    (https://github.com/golang/vulndb/issues/2381)
  - data/reports/GO-2024-2722.yaml    (https://github.com/golang/vulndb/issues/2722)
  - data/reports/GO-2024-2726.yaml    (https://github.com/golang/vulndb/issues/2726)
  - data/reports/GO-2024-2880.yaml    (https://github.com/golang/vulndb/issues/2880)
  - data/reports/GO-2024-2917.yaml    (https://github.com/golang/vulndb/issues/2917)
  - data/reports/GO-2024-2941.yaml    (https://github.com/golang/vulndb/issues/2941)
  - data/reports/GO-2024-2973.yaml    (https://github.com/golang/vulndb/issues/2973)
  - data/reports/GO-2024-3135.yaml    (https://github.com/golang/vulndb/issues/3135)
  - data/reports/GO-2024-3299.yaml    (https://github.com/golang/vulndb/issues/3299)
  - data/reports/GO-2024-3342.yaml    (https://github.com/golang/vulndb/issues/3342)
  - data/reports/GO-2025-3627.yaml    (https://github.com/golang/vulndb/issues/3627)
  - data/reports/GO-2025-3634.yaml    (https://github.com/golang/vulndb/issues/3634)
  - data/reports/GO-2025-3719.yaml    (https://github.com/golang/vulndb/issues/3719)
  - data/reports/GO-2025-3835.yaml    (https://github.com/golang/vulndb/issues/3835)
  - data/reports/GO-2025-4205.yaml    (https://github.com/golang/vulndb/issues/4205)
  - data/reports/GO-2025-4206.yaml    (https://github.com/golang/vulndb/issues/4206)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/traefik/traefik
      non_go_versions:
        - introduced: TODO (earliest fixed "2.11.35", vuln range "<= 2.11.34")
        - introduced: TODO (earliest fixed "3.6.7", vuln range "<= 3.6.6")
      vulnerable_at: 1.7.34
    - module: github.com/traefik/traefik/v2
      vulnerable_at: 2.11.35
summary: Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall in github.com/traefik/traefik
cves:
    - CVE-2026-22045
ghsas:
    - GHSA-cwjm-3f7h-9hwq
references:
    - advisory: https://github.com/advisories/GHSA-cwjm-3f7h-9hwq
    - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq
    - fix: https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d
    - web: https://github.com/traefik/traefik/releases/tag/v2.11.35
    - web: https://github.com/traefik/traefik/releases/tag/v3.6.7
source:
    id: GHSA-cwjm-3f7h-9hwq
    created: 2026-01-15T23:01:21.962901777Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-cwjm-3f7h-9hwq #4322

Impact

Patches

For more information

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-cwjm-3f7h-9hwq #4322

Description

Impact

Patches

For more information

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions