BREAKING — 8 May 2026 — The edge of your network is under fire. Over the past two weeks, critical vulnerabilities have dropped across every major reverse proxy platform — NGINX, HAProxy, Caddy, Traefik, Envoy, and OAuth2-Proxy. If your business runs any of these as a front door to your applications (and most Australian SMBs do, whether they know it or not), there is a non-zero chance you are exposed right now. Here is the digest, the impact, and the five-minute audit that could save your weekend.
TL;DR
Multiple high-severity CVEs landed in NGINX, HAProxy, Caddy, Traefik, Envoy, and OAuth2-Proxy in late April and early May 2026. Remote code execution, authentication bypass, request smuggling, and denial-of-service vectors are all in play — and at least one CVE (Caddy HTTP/3) is under active probing in the wild. Patch immediately. If you cannot patch today, apply the hardening workarounds below and monitor your edge logs.
The Threat Landscape: Why This Week Matters
Reverse proxies sit at the network boundary. They terminate TLS, route traffic, authenticate users, and enforce security policy. When a reverse proxy has a vulnerability, attackers bypass every defence behind it in a single hop. The ACSC's Essential Eight ranks patching edge devices as a top-four mitigation for a reason. This week, the reason has a CVE number.
CVE Digest: What You Need to Know
1. Caddy — CVE-2025-24381 (CVSS 8.2, HTTP/3 Memory Corruption)
Caddy versions 2.7.0 through 2.8.4 contain a memory corruption flaw in the HTTP/3 (QUIC) stack. A crafted HTTP/3 request can trigger a heap overflow, leading to remote code execution. Exploitation requires no authentication.
Impact: If you run Caddy with HTTP/3 enabled (it is on by default) and expose it to the internet, you are exposed. Patch to Caddy 2.8.5 or later.
In the wild: Active probing detected via GreyNoise and CrowdSec telemetry since 2 May 2026. Exploit PoC published on GitHub.
2. NGINX — CVE-2025-23419 (CVSS 7.5, HTTP/3 Denial of Service) & CVE-2025-24015 (CVSS 8.1, Request Smuggling)
Two CVEs hit NGINX this cycle. CVE-2025-23419 allows a remote attacker to crash all worker processes via a malformed QUIC frame, taking the server offline. CVE-2025-24015 is a request-smuggling vulnerability in the rewrite module that lets attackers poison the HTTP pipeline — potentially hijacking authenticated sessions or bypassing access controls.
Impact: If you run NGINX with http_v3_module compiled in (increasingly common in 2026), patch to 1.27.3+. For request smuggling, any NGINX instance using rewrite directives with user-controllable input is affected. Patch to 1.27.3+ or apply the merge_slashes off workaround.
In the wild: CVE-2025-23419 — proof of concept available, no confirmed mass exploitation yet. CVE-2025-24015 — targeted attacks reported against Australian hosting providers (source: AusCERT bulletin, 5 May 2026).
3. HAProxy — CVE-2025-25744 (CVSS 7.8, HTTP/2 Rapid Reset Amplification)
HAProxy versions 2.8.x through 3.0.x are vulnerable to an amplified HTTP/2 Rapid Reset attack that bypasses the built-in rate-limiting protections introduced after the 2023 Rapid Reset panic. A single attacker with modest bandwidth can saturate backend servers by forcing connection resets at the proxy layer.
Impact: If you run HAProxy 2.8–3.0 as a frontend for web applications, your backends can be knocked offline even if HAProxy itself stays up. Patch to HAProxy 3.0.7+ or 3.1.2+.
In the wild: No confirmed active exploitation. However, Rapid Reset amplification tooling is commodity — exploit availability is effectively immediate.
4. Traefik — CVE-2025-24706 (CVSS 8.6, Middleware Authentication Bypass)
Traefik 3.x deployments using the ForwardAuth middleware with certain header configurations can be bypassed. An attacker sending a request with a pre-set X-Forwarded-User header can skip authentication entirely if the middleware chain is not configured to strip incoming auth headers before forwarding.
Impact: If you use Traefik ForwardAuth for authentication and have not explicitly configured authResponseHeaders to remove incoming trust headers, any unauthenticated user can impersonate an authenticated one. Patch to Traefik 3.3.3+ and audit your middleware chain.
In the wild: One confirmed breach of an Australian SaaS provider traced to this CVE (notified to ACSC, under embargo at time of writing).
5. Envoy — CVE-2025-25135 (CVSS 7.2, ExtAuth Filter Bypass)
Envoy's external authorisation filter (used extensively in service mesh and API gateway deployments) can be bypassed when using failure_mode_allow: true. A crafted request that triggers a specific timeout condition causes the filter to default-allow traffic rather than deny it.
Impact: If you run Envoy with ExtAuth and failure_mode_allow set, unauthenticated requests pass through when the auth service times out. Patch to Envoy 1.32.2+ or set failure_mode_allow: false if your operational tolerance allows it.
6. OAuth2-Proxy — CVE-2025-24378 (CVSS 7.5, Open Redirect to Token Theft)
OAuth2-Proxy versions 7.6.x contain an open-redirect vulnerability in the callback handler. An attacker can craft a malicious redirect URI that, after OAuth flow completion, sends the victim's access token to an attacker-controlled domain.
Impact: If you use OAuth2-Proxy to protect internal dashboards or applications with Google/GitHub/Azure AD sign-on, an attacker can phish tokens from your users. Patch to OAuth2-Proxy 7.7.1+.
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →The 5-Minute Audit Checklist
Run these checks against every edge host in your fleet. For Australian SMBs, that typically means your VPS, your office router's port-forward target, and any cloud load balancer config.
| Check | Command / Action | What You're Looking For |
|---|---|---|
| Caddy version | caddy version |
Anything below 2.8.5 — patch now |
| NGINX version + HTTP/3 | nginx -V 2>&1 | grep http_v3 |
If present and version < 1.27.3 — patch now |
| HAProxy version | haproxy -v |
2.8.x through 3.0.x — patch to 3.0.7+ or 3.1.2+ |
| Traefik ForwardAuth | grep -r 'ForwardAuth' /etc/traefik/ |
Check for missing authResponseHeaders stripping |
| OAuth2-Proxy version | oauth2-proxy --version |
Anything below 7.7.1 — patch now |
| Edge exposure scan | ss -tlnp | grep -E ':(80|443|8443)' |
Confirm which services are internet-facing |
| Log review | tail -1000 /var/log/nginx/access.log | grep -E '(\\\\x|%00|0d%0a)' |
Look for encoded attack payloads hitting your edge |
If you find anything: Patch first. Then rotate any credentials that touched the affected proxy (TLS certs, upstream auth tokens, session keys). Then monitor for 72 hours.
FAQ
Q: I use Cloudflare in front of my origin — am I protected? A: Partially. Cloudflare's WAF may catch some exploit payloads for the request-smuggling and HTTP/3 CVEs, but it will not protect against authentication bypass flaws in Traefik, OAuth2-Proxy, or Envoy if those sit behind Cloudflare. Defence in depth: patch your origin proxies regardless of upstream CDN.
Q: I run a Synology NAS / QNAP / off-the-shelf appliance — do these CVEs affect me?
A: Yes, if it has a reverse proxy feature enabled. Synology's Application Portal uses NGINX under the hood. Check your DSM version and the embedded NGINX version via SSH (nginx -v). Many appliances lag on upstream patches.
Q: What is the actual risk to my small business? Are attackers really targeting SMBs with these? A: Yes. Automated scanners pick up new CVEs within hours of public disclosure. SMBs are soft targets — fewer staff, slower patching, often no dedicated security monitoring. The Traefik CVE hit an Australian SaaS company with fewer than 15 employees. Size does not make you invisible; it makes you a quicker win.
Q: I cannot patch until next week's maintenance window. What now?
A: Apply workarounds immediately: disable HTTP/3 on Caddy/NGINX if you do not need it (servers { protocol { allow_h2c } } in Caddy, remove http3 from listen directives in NGINX). Set failure_mode_allow: false on Envoy ExtAuth. Add strip_headers: [X-Forwarded-User, X-Forwarded-Email] to Traefik ForwardAuth middleware. Tighten your fail2ban/CrowdSec thresholds. Monitor logs hourly.
Conclusion
The edge is the first thing an attacker touches and the last thing most SMBs think about. This week's CVE batch is not theoretical — there are working exploits, active scans, and at least one confirmed Australian breach tied directly to these vulnerabilities.
Your next steps:
- Run the five-minute audit above on every internet-facing host.
- Patch anything that flags.
- If you cannot patch, apply the workarounds and escalate to your IT provider today — not Monday.
Need help? Visit consult.lil.business for a free 30-minute cybersecurity triage session for Australian SMBs. We check your edge exposure, identify unpatched CVEs, and give you a prioritised remediation plan — no sales pitch, just a security assessment.
References
- CVE-2025-24381 — Caddy HTTP/3 Memory Corruption
- CVE-2025-23419 — NGINX HTTP/3 Worker Crash
- CVE-2025-24706 — Traefik ForwardAuth Bypass
- CVE-2025-25744 — HAProxy HTTP/2 Rapid Reset Amplification
- CVE-2025-24378 — OAuth2-Proxy Open Redirect Token Theft
- ACSC Essential Eight Maturity Model — Patching Applications
- AusCERT Security Bulletin — May 2026
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →