Traefik v3.6.22 Patches Goroutine Leak and Dependency Vulnerabilities

Traefik · 30 Jun 2026 · 2 min read

#traefik

Traefik has released v3.6.22, a patch version that addresses a significant goroutine leak in the reverse proxy’s HTTP/2 connection handling, along with dependency updates to resolve security vulnerabilities. This release is recommended for all users running the v3.6.x series.

  • Fixed a goroutine leak in the HTTP/2 reverse proxy: when a backend connection is closed unexpectedly (e.g., server reset), Traefik’s connection pool would retain stale goroutines, leading to memory growth over time. The fix ensures proper cleanup of http2 connections in internal/server/service/proxy.go.
  • Upgraded the Go version from 1.21 to 1.21.13 to incorporate upstream security patches.
  • Updated Docker base images to debian:bookworm-slim with latest security patches.
  • Replaced the golang.org/x/net dependency version to 0.33.0 to fix CVE-2024-45338 (a non-linear parsing of cookie values leading to potential CPU exhaustion).
  • Updated github.com/containous/alice dependency to 0.0.0-20250317155903 for compatibility and fixes.
  • Other dependency bumps include google.golang.org/grpc (v1.69.4) and golang.org/x/crypto (v0.31.0) to patch CVEs.

This release is crucial for developers running Traefik in production with HTTP/2 backends, as the goroutine leak could silently degrade performance over time. The CVE fixes in golang.org/x/net and dependency updates also strengthen security. Upgrading is straightforward: pull the updated Docker image traefik:v3.6.22 or use the binary from GitHub releases. No configuration changes are required.

Source: https://github.com/traefik/traefik/releases/tag/v3.6.22

Related

auto-curated · source linked above ← all news