A newly discovered vulnerability in Traefik’s experimental ingress-nginx provider silently disabled TLS certificate verification for five months — despite operators enabling it in configuration.

The flaw inverted a critical security annotation, leaving downstream HTTPS services exposed to adversary-in-the-middle interception across Kubernetes environments.

The vulnerability exposed “… HTTPS backends to adversary-in-the-middle attacks,” said AISLE researchers.

Stanislav Fort, Co-founder and Chief Scientist at AISLE added, “Traditional scanners miss this completely because the code looks fine and passes all tests. The bug isn’t in the syntax, it’s in the semantic relationship between two systems. It is a logical mismatch that requires reasoning about intent, not just pattern matching.”

A Small Misconfiguration with Large Consequences

Traefik is one of the most widely deployed cloud-native ingress controllers in the world, with more than 60,000 GitHub stars and over 3 billion downloads.

It routes traffic for financial services, SaaS platforms, healthcare systems, and enterprise Kubernetes clusters across AWS, Azure, GCP, and on-prem environments.

Because annotations in Kubernetes function as policy at scale, a single inverted security setting can weaken protections across thousands of routes.

Many teams deployed Traefik’s ingress-nginx provider specifically to preserve NGINX-style security configurations — including backend certificate verification. Instead, verification was turned off without warning.

How the Traefik TLS Verification Bug Occurred

The vulnerability (CVE-2025-66491) stemmed from a semantic mismatch between NGINX’s proxy-ssl-verify annotation and Go’s InsecureSkipVerify field.

In NGINX, setting proxy-ssl-verify: “on” enables backend certificate verification, while in Go’s TLS implementation, setting InsecureSkipVerify: true disables verification.

Traefik’s ingress-nginx provider incorrectly mapped these behaviors, using the following logic: InsecureSkipVerify: strings.ToLower(ptr.Deref(cfg.ProxySSLVerify, “off”)) == “on”.

As a result, setting the annotation to “on” unintentionally disabled verification, and setting it to “off” enabled it.

The unit test suite reinforced this inversion by defining the reversed behavior as the expected outcome, allowing the flaw to pass CI undetected.

The issue becomes dangerous when an attacker can position themselves in the network path between Traefik and a backend service — through ARP spoofing, a compromised sidecar, or misconfigured network policies.

With verification skipped, an attacker could present a forged certificate, intercept and decrypt traffic, steal credentials or session tokens, modify responses, or reroute service traffic, all while the encrypted connection appears normal to operators.

This creates particular risk in multi-tenant clusters, hybrid environments, or architectures without consistent mTLS enforcement.

The bug affected Traefik versions v3.5.0 through v3.6.2 and was patched in version v3.6.3.

Mitigating Risk from the Traefik TLS Verification Bug

Addressing this vulnerability requires both upgrading to the patched Traefik release and strengthening how TLS policies are applied, validated, and monitored across the environment.

Upgrade to Traefik v3.6.3 for the complete fix , or temporarily set proxy-ssl-verify: “off” or remove the annotation to maintain proper TLS verification.

, or temporarily set or remove the annotation to maintain proper TLS verification. Audit ingress resources and annotations for inverted or insecure TLS settings , and restrict who can modify ingress configuration through stricter RBAC controls.

, and restrict who can modify ingress configuration through stricter RBAC controls. Use admission controllers or policy engines like OPA/Gatekeeper or Kyverno to enforce secure TLS configurations and block unsafe annotation values.

like OPA/Gatekeeper or Kyverno to enforce secure TLS configurations and block unsafe annotation values. Enforce mTLS or other strong service-to-service encryption to reduce reliance on ingress-level TLS verification alone.

to reduce reliance on ingress-level TLS verification alone. Monitor backend traffic for anomalies such as unexpected certificate chains, routing changes, or irregular service communication patterns.

such as unexpected certificate chains, routing changes, or irregular service communication patterns. Review CI tests and configuration pipelines for semantic mismatches and implement drift detection to prevent insecure TLS settings from reappearing.

By taking these steps, organizations can maintain more reliable TLS protections and reduce the likelihood of configuration issues going unnoticed.

Invisible Misconfigurations in Cloud-Native Architectures

CVE-2025-66491 highlights a broader challenge in cloud-native systems: ensuring that configuration intent is accurately translated across the various components that enforce security policies.

Although the underlying bug was only a few characters, it appeared in widely used infrastructure and produced behavior that differed from what operators expected.

Issues like this can arise in complex, multi-layered architectures where settings defined in one system — such as NGINX annotations — must be mapped to another, like Go’s TLS configuration.

These discrepancies can be difficult to detect because they may pass CI tests and remain unnoticed by traditional scanning tools, only becoming visible when examined through more thorough or system-aware analysis.

As environments grow more interconnected, these issues reinforce the importance of approaches like zero-trust that emphasize explicit validation at each layer.