CVE-2023-47633 - Traefik's 100% CPU DoS Risk – How a Self-Route Can Exhaust Your Server

Traefik is widely known for offering a no-fuss, cloud-native HTTP reverse proxy and load balancing for modern containerized applications. But in November 2023, a subtle CPU-eating bug was assigned an identifier: CVE-2023-47633. This flaw can send your server into a spin, and if you use Docker integration in Traefik’s default setup, you could be at risk!

Let’s break down exactly what happened, why it’s dangerous, and how to keep your deployments safe.

The Vulnerability in Simple Terms

In its default Docker integration, Traefik automatically generates routes for containers. If you run Traefik itself *as a Docker container*, it “sees” its own service as a backend, and auto-generates a backend route pointing to itself.

If any HTTP traffic is routed *through* this “self-backend”, the server ends up routing that same request back to itself, creating an endless loop. This quickly consumes all available CPU, causing a Denial of Service (DoS).

Visualizing the Loop

[User Request] → [Traefik Frontend] → [Traefik Backend (itself)] → [Traefik Frontend] → ... (Infinite loop)

Just one legitimate HTTP request can create thousands of internal requests per second, each looping back into Traefik.

volumes

- "/var/run/docker.sock:/var/run/docker.sock"

`

3. Open Traefik’s dashboard (http://localhost:808/dashboard).

4. You’ll see that Traefik has registered itself as a backend route because it sees the running container.

`bash

curl http://localhost # or a request routed through the auto-discovered route

Why It’s So Dangerous

- No authentication needed: Any internal or external user can trigger the loop if the route is exposed.

The Fix

The Traefik team responded by preventing registration of Traefik’s own Docker instance as a backend.

If you’re running Traefik with Docker, upgrade immediately

docker pull traefik:2.10.6
# or for next-gen beta testers
docker pull traefik:3..-beta5

Update your Docker Compose file’s image tag, then

docker-compose down
docker-compose up -d

Exploit Details: How Attackers Can Abuse CVE-2023-47633

If an unauthorized user can send a request that is routed through the “Traefik as backend” route, they can cause your Traefik container to spin 100% CPU usage, potentially causing downtime for all the services behind Traefik.

While Traefik doesn’t expose itself as a backend by default, any misconfiguration or lack of filtering could open you up.

Simple Exploit

curl http://your.domain/path/routed/to/traefik-self
# Or, if routed via Host header, manipulate the header:
curl -H 'Host: traefik' http://your.domain/

No Workaround!

There are no configuration workarounds; only upgrading eliminates the bug.

References & Further Reading

- Traefik Security Advisory GHSA-2rgw-465g-6qf4
- CVE-2023-47633 – NIST Database
- Original Pull Request (github.com/traefik/traefik)
- Traefik Docs – Docker Provider

Final Thoughts

If you’re running Traefik with Docker integration and haven’t upgraded since Nov 2023, DO SO NOW. Don’t let a simple request take your whole stack down. Traefik is safe and robust when well-maintained—CVE-2023-47633 is a classic reminder to update early and often!

Timeline

Published on: 12/04/2023 21:15:34 UTC
Last modified on: 12/07/2023 20:51:18 UTC