Traefik allows path traversal using url encoding

Description

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
spec:
  routes:
    - match: PathPrefix(‘/service’)
      kind: Rule
      services:
        - name: service-a
          port: 8080
      middlewares:
        - name: my-middleware-a
    - match: PathPrefix(‘/service/sub-path’)
      kind: Rule
      services:
        - name: service-a
          port: 8080

In such a case, the request http://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.25
  • https://github.com/traefik/traefik/releases/tag/v3.4.1

For more information

If you have any questions or comments about this advisory, please open an issue.

<details>
<summary>Original Description</summary>

Summary

Path traversal with "/../" using URL encodings ("/%2e%2e") allows for circumventing routing rules.

Details

When having defined a route, you can path traverse using the URL encoded variant of /../ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /../ and has been fixed in this CVE. This URL encoding trick works around that
https://nvd.nist.gov/vuln/detail/CVE-2025-32431

Simply implementing a check on the URL encoding won't be sufficient as path traversal can take numerous formats. See examples here:
https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html

PoC

Setup a service with two endpoints: "/public" and "/private", which returns a 200 OK for both
Setup a Traefik proxy with a single route which points to the service using path /public

Regular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik)
When making a request to /public/%2e%2e/private you should receive a 200 OK.

Impact

Impacts all traefik implementations with path prefix routes that expose only part of the downstream api

Suggestion

Provide configuration property which disables all path traversals. Steps:
1. Decode URL
2. Evaluate and construct relative path (do traversal before route evaluation)
3. Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp)
</details>

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-05-28 14:25:09 UTC
Updated
2025-11-27 08:04:35 UTC
GitHub reviewed
2025-05-28 14:25:09 UTC
NVD published
2025-05-30

EPSS Score

Score Percentile
0.40% 60.51%

CVSS Scores

Base score Version Severity Vector
2.9 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.

Identifiers

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Credits

  • antonjanrutten (reporter)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/traefik/traefik/v3 <= 3.4.0 3.4.1
go github.com/traefik/traefik <= 1.7.34
go github.com/traefik/traefik/v2 < 2.11.25 2.11.25

References

cvelogic Threat Intelligence