CVE-2023-47633: 
NixOS vulnerability analysis and mitigation

Traefik, an open source HTTP reverse proxy and load balancer, was found to have a vulnerability (CVE-2023-47633) where the docker container would consume 100% CPU when serving as its own backend. This issue occurs due to an automatically generated route resulting from the Docker integration in the default configuration. The vulnerability was disclosed in December 2023 and affects versions up to 2.10.5 and up to 3.0.0-beta4 (GitHub Advisory).

The vulnerability stems from a configuration where Traefik creates an internal route with a host rule on the web entrypoint. When a request is made to the Traefik service using its container name as the hostname, it creates an endless loop of requests, leading to resource exhaustion. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

When exploited, this vulnerability renders the server unresponsive by consuming 100% CPU resources. The high availability impact affects the system's ability to process legitimate requests, effectively creating a denial of service condition (GitHub Advisory).

The vulnerability has been patched in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade to these or later versions. There are no known workarounds for this vulnerability (NVD, GitHub Release).