CVE-2023-29013

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.

Published: Apr 14, 2023
Updated: May 4, 2025
CVE: CVE-2023-29013
GHSA: GHSA-7hj9-rv74-5g92
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
github.com/traefik/traefik/v2	-	2.9.10
github.com/traefik/traefik/v2	2.10.0-rc1	2.10.0-rc1.x
github.com/traefik/traefik/v2	2.10.0-rc1	2.10.0-rc2
traefik / traefik	2.10.0-rc1	2.10.0-rc1.x
traefik / traefik	-	2.9.10

https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49
https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2
https://github.com/traefik/traefik/releases/tag/v2.9.10
https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92
https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8/m/OV40vnafAwAJ
https://security.netapp.com/advisory/ntap-20230517-0008
https://security.netapp.com/advisory/ntap-20230517-0008/

Vulnerability Database

289,571

CVE-2023-29013