Traefik 3.7.6 adds a setting to block underscore headers

Traefik 3.7.6 adds , a setting that can remove with underscores or reject the request before it is routed. This happens at the layer, before the request reaches the actual app. The change matters most for Python, PHP, CGI, WSGI, and similar backends, because they may translate header names in ways that make underscore variants risky.

In attack paths related to CVE-2024-45410 and CVE-2026-33433, a trusted proxy header could be removed while an attacker-controlled underscore version remains and gets used by the app. The new setting gives operators an extra defense against header alias spoofing at the edge of their setup.

Key points

  • Traefik 3.7.6 adds the setting.
  • It can delete underscore or reject those requests before routing.
  • Python, PHP, CGI, and WSGI backends are called out as especially relevant.
  • The setting helps reduce risks tied to CVE-2024-45410 and CVE-2026-33433 attack paths.
  • operators using Traefik should review the update and their proxy header rules.
Read original