KrakenD allowed us to focus on our backend and deploy a secure and performant system in a few days. After more than 2 years of use in production and 0 crash or malfunction, it also has proven its robustness
Jonathan Muller
CTO / Openroom Inc.
CVE-2025-68121
Medium
· CVSS 5.9
Medium ImpactThis CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.
Config.Clone variant can affect any deployment that clones its TLS configuration
at startup, which may occur in multi-listener setups. The GetConfigForClient variant
only affects deployments using a custom per-client TLS callback. Upgrading is recommended
regardless of configuration.Component
Go standard library (crypto/tls)
Disclosed
Feb 10, 2026
CVSS Score
5.9
Two related flaws in Go’s crypto/tls package affect session ticket key handling:
tls.Config.Clone leaks session ticket keys and ignores full certificate chain
expiration when the original Config has custom session ticket keys set.tls.Config.GetConfigForClient does not correctly propagate session ticket keys
to the returned Config when authentication parameters are modified.Both issues can result in authentication state inconsistency or unintended session ticket exposure.
Community Edition
2.13.0
addresses this CVE
Affected CE versions
>= 2.0, < 2.13.0
Enterprise Edition
2.12.4
addresses this CVE
Affected EE versions
>= 2.0, < 2.12.4
Upgrade to the addressed version or later to remediate this vulnerability.
Stay up to date with KrakenD releases and important updates