
PEACH
Un cadre d’isolation des locataires
CVE-2023-54365 is a denial-of-service vulnerability in Traefik's HTTP/2 request handling, inherited from the Go standard library's HTTP/2 implementation via the 'Rapid Reset' technique (related to CVE-2023-44487 and CVE-2023-39325). It affects Traefik versions prior to 2.10.5 and 3.0.0-beta1 through 3.0.0-beta3, as well as Go versions prior to 1.20.10 and 1.21.0–1.21.2. Red Hat OpenShift AI (RHOAI) is also listed as an affected product. The CVE was published on June 23, 2026, with a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 base score of 8.7 (High) (Github Advisory, Traefik Advisory, Red Hat Bugzilla).
The root cause is uncontrolled resource consumption (CWE-400) and allocation of resources without limits or throttling (CWE-770) in the Go standard library's golang.org/x/net HTTP/2 implementation. The vulnerability is not caused by Traefik-specific code; rather, Traefik inherited it by depending on a vulnerable version of Go's HTTP/2 module (Red Hat CSAF). An unauthenticated remote attacker exploits the 'Rapid Reset' technique by rapidly opening and immediately canceling HTTP/2 streams (via RST_STREAM frames), causing the server to allocate resources for each stream without adequate throttling, ultimately exhausting server capacity. No authentication or user interaction is required, and the attack can be automated at scale (Traefik Advisory, Github Advisory).
Successful exploitation results in a denial of service, rendering the Traefik reverse proxy/load balancer unavailable to legitimate users. There is no impact on confidentiality or integrity — the attack is purely an availability concern. Because Traefik commonly serves as an ingress controller in containerized and cloud-native environments, its unavailability can cascade to all backend services it proxies, potentially causing broad service outages (Red Hat CSAF, Github Advisory).
Server: Traefik).stream reset by peer, connection reset); unusually high request rates from specific clients with no corresponding successful responses./metrics or /debug/pprof endpoints if exposed); system-level resource exhaustion indicators such as OOM events.The primary remediation is to upgrade Traefik to version 2.10.5 (v2 branch) or 3.0.0-beta4 (v3 branch), which include updated Go HTTP/2 dependencies containing the upstream fix. No configuration-based workaround is available from the Traefik project. As a supplementary defense-in-depth measure, consider implementing rate limiting and connection throttling at the network or load balancer level to reduce the impact of HTTP/2 stream exhaustion attacks. Red Hat OpenShift AI (RHOAI) users should apply available updates to the odh-rhel9-operator and rhai-cli-rhel9 components (Traefik Advisory, Red Hat CSAF).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."