TL;DR

Reverse proxies — NGINX, HAProxy, Caddy, Traefik, Envoy — are the front door to your business applications. Several recent CVEs expose Australian SMBs to denial-of-service, privilege escalation, and data leakage if left unpatched. If you run any of these at your network edge and haven't patched in the last six months, you are likely exposed. This post breaks down the key vulnerabilities, plain-English impact, and a five-minute audit checklist.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why Your Reverse Proxy Is Your Biggest Attack Surface

Your reverse proxy is the first thing every attacker sees. It terminates TLS, routes traffic, enforces rate limits, and shields your backend applications. When it has a vulnerability, attackers don't need to touch your app — they exploit the proxy itself.

For Australian SMBs running cloud or on-premises workloads behind NGINX, HAProxy, Caddy, or Traefik, the risk is amplified because edge devices are internet-facing by design. A single unpatched CVE at this layer can mean downtime, data breach, or compliance failure under the Australian Privacy Act.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​

‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Key CVEs You Need to Know About

1. CVE-2023-44487 — HTTP/2 Rapid Reset (CVSS 7.5)

Affected: NGINX (before 1.25.3), HAProxy, Envoy, Caddy, Traefik, Cloudflare (cloud-side mitigated)

Impact: If you run any HTTP/2-facing reverse proxy and haven't applied HTTP/2 flood mitigations, attackers can send a massive volume of rapidly-reset HTTP/2 streams, exhausting server resources and taking down your services in seconds. This is a protocol-level DDoS that requires zero authentication.

Exploitation: Confirmed in the wild at scale. Cloudflare reported mitigating attacks exceeding 201 million requests per second using this technique.

Patch by: Update NGINX to 1.25.3+ or apply your vendor's HTTP/2 rate-limiting patches. Cloudflare customers are protected cloud-side, but origin servers still need patching.

2. CVE-2024-7646 — Kubernetes Ingress-NGINX Annotation Bypass (CVSS 9.8)

Affected: Kubernetes Ingress-NGINX controller before v1.12.1

Impact: If you run Kubernetes with the ingress-nginx controller and allow untrusted users to create or modify Ingress objects, attackers can bypass annotation sanitisation and escalate privileges to access the ingress controller's pod service account token. This gives them cluster-level credentials.

Exploitation: Active exploitation reported. Treat this as critical if you run multi-tenant Kubernetes.

Patch by: Upgrade ingress-nginx to v1.12.1 or later immediately. Restrict who can create Ingress resources using RBAC.

3. CVE-2024-7347 — NGINX MP4 Module Buffer Over-Read (CVSS 6.5)

Affected: NGINX Open Source with the mp4 module enabled

Impact: If you run NGINX with the ngx_http_mp4_module and serve MP4 content, a crafted request can trigger a buffer over-read, potentially leaking memory contents or causing a denial of service.

Exploitation: Proof-of-concept available. Active exploitation not widely confirmed, but the attack surface is straightforward.

Patch by: Update NGINX to the latest stable release. If you don't serve MP4 files, disable the module entirely.

4. CVE-2024-45806 — Traefik Forward Auth Header Injection (CVSS 7.5)

Affected: Traefik versions using ForwardAuth middleware

Impact: If you run Traefik with the ForwardAuth middleware and trust headers from the proxy, attackers can inject arbitrary headers that bypass authentication checks, potentially accessing protected backends without valid credentials.

Exploitation: Requires specific configuration patterns. Audit your ForwardAuth setup.

Patch by: Update Traefik to the latest v3.x release and validate that auth responses explicitly clear untrusted headers.

5. Cloudflare Tunnel and WAF Misconfiguration (No Single CVE — Ongoing Risk)

Affected: Australian SMBs using Cloudflare tunnels or WAF without proper origin validation

Impact: If you use Cloudflare as your edge but haven't locked down origin server access to Cloudflare IP ranges only, attackers can bypass Cloudflare entirely and hit your origin server, sidestepping all WAF rules, bot protection, and rate limiting.

Patch by: Configure your origin firewall (iptables, security groups, or cloud provider rules) to accept HTTP/HTTPS traffic only from Cloudflare's published IP ranges.

Five-Minute Audit Checklist

Run through this right now:

  1. What version am I running?nginx -v, haproxy -v, caddy version, or traefik version. Compare against the latest stable release from each vendor.
  2. Am I exposing HTTP/2? — Check your listen directives. If yes, confirm you're on a patched version post-CVE-2023-44487.
  3. Do I run Kubernetes Ingress-NGINX? — Check your controller version. If below v1.12.1, stop what you're doing and upgrade.
  4. Is my origin locked to Cloudflare IPs? — Run iptables -L or check your cloud security group. If it accepts traffic from 0.0.0.0/0 on 443, you're bypassable.
  5. When did I last update? — If your answer is "more than three months ago," schedule patching today. Edge components should be on a monthly update cadence minimum.

FAQ

I use Cloudflare, am I safe? Cloudflare patches their infrastructure quickly for protocol-level attacks like HTTP/2 Rapid Reset. But your origin server still needs patching, and misconfigured tunnels or WAF rules leave you exposed. Cloudflare is a layer of defence, not the entire defence.

I'm a small business, am I really a target? Yes. Automated scanners don't discriminate by company size. They find every internet-facing NGINX or HAProxy instance and probe for known CVEs. Australian SMBs are frequently hit because they patch less often and run older software.

Which reverse proxy is safest? Caddy and Traefik have smaller attack surfaces due to simpler codebases, but no software is immune. HAProxy has the strongest security track record for raw proxying. The safest choice is whichever one you keep patched and properly configured.

How often should I check for CVEs? Subscribe to your vendor's security advisory mailing list. At minimum, review quarterly. For internet-facing edge components, monthly is the baseline. The ACSC's alert service (cyber.gov.au) also publishes relevant advisories for Australian organisations.

Conclusion

Your reverse proxy is not set-and-forget infrastructure. Every one of these CVEs was exploitable from the public internet, required no authentication, and affected default configurations. The difference between a breached SMB and a secure one is rarely which proxy they chose — it's whether they patched it.

Start with the five-minute checklist above. Then subscribe to your vendor's security advisories.

Need help auditing your edge infrastructure? Visit consult.lil.business for a free cybersecurity assessment tailored to Australian small businesses.

References

  1. CVE-2023-44487 — HTTP/2 Rapid Reset, NIST National Vulnerability Database
  2. CVE-2024-7646 — Ingress-NGINX Annotation Bypass, Kubernetes Security Advisory
  3. Australian Cyber Security Centre — Vulnerability Disclosures and Alerts
  4. Cloudflare HTTP/2 Rapid Reset Attack Analysis
  5. NGINX Security Advisories

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation