Traefik has released v3.6.22, a patch version that addresses a significant goroutine leak in the reverse proxy’s HTTP/2 connection handling, along with dependency updates to resolve security vulnerabilities. This release is recommended for all users running the v3.6.x series.
- Fixed a goroutine leak in the HTTP/2 reverse proxy: when a backend connection is closed unexpectedly (e.g., server reset), Traefik’s connection pool would retain stale goroutines, leading to memory growth over time. The fix ensures proper cleanup of
http2connections ininternal/server/service/proxy.go. - Upgraded the Go version from 1.21 to 1.21.13 to incorporate upstream security patches.
- Updated Docker base images to
debian:bookworm-slimwith latest security patches. - Replaced the
golang.org/x/netdependency version to0.33.0to fix CVE-2024-45338 (a non-linear parsing of cookie values leading to potential CPU exhaustion). - Updated
github.com/containous/alicedependency to0.0.0-20250317155903for compatibility and fixes. - Other dependency bumps include
google.golang.org/grpc(v1.69.4) andgolang.org/x/crypto(v0.31.0) to patch CVEs.
This release is crucial for developers running Traefik in production with HTTP/2 backends, as the goroutine leak could silently degrade performance over time. The CVE fixes in golang.org/x/net and dependency updates also strengthen security. Upgrading is straightforward: pull the updated Docker image traefik:v3.6.22 or use the binary from GitHub releases. No configuration changes are required.
Source: https://github.com/traefik/traefik/releases/tag/v3.6.22