There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: my-service
spec:
routes:
- match: PathPrefix(‘/service’)
kind: Rule
services:
- name: service-a
port: 8080
middlewares:
- name: my-middleware-a
- match: PathPrefix(‘/service/sub-path’)
kind: Rule
services:
- name: service-a
port: 8080
In such a case, the request http://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).
If you have any questions or comments about this advisory, please open an issue.
<details>
<summary>Original Description</summary>
Path traversal with "/../" using URL encodings ("/%2e%2e") allows for circumventing routing rules.
When having defined a route, you can path traverse using the URL encoded variant of /../ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /../ and has been fixed in this CVE. This URL encoding trick works around that
https://nvd.nist.gov/vuln/detail/CVE-2025-32431
Simply implementing a check on the URL encoding won't be sufficient as path traversal can take numerous formats. See examples here:
https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html
Setup a service with two endpoints: "/public" and "/private", which returns a 200 OK for both
Setup a Traefik proxy with a single route which points to the service using path /public
Regular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik)
When making a request to /public/%2e%2e/private you should receive a 200 OK.
Impacts all traefik implementations with path prefix routes that expose only part of the downstream api
Provide configuration property which disables all path traversals. Steps:
1. Decode URL
2. Evaluate and construct relative path (do traversal before route evaluation)
3. Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp)
</details>
| Score | Percentile |
|---|---|
| 0.40% | 60.51% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-vrch-868g-9jx5 ↗ |
| CVE | CVE-2025-47952 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/traefik/traefik/v3 | <= 3.4.0 | 3.4.1 | — |
| go | github.com/traefik/traefik | <= 1.7.34 | — | — |
| go | github.com/traefik/traefik/v2 | < 2.11.25 | 2.11.25 | — |