Path Normalization Bypass in Traefik Router + Middleware Rules

説明

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set ('/', '\', 'Null', ';', '?', '#'), it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
spec:
  routes:
    - match: PathPrefix(‘/admin/’)
      kind: Rule
      services:
        - name: service-a
          port: 8080
      middlewares:
        - name: my-security-middleware
    - match: PathPrefix(‘/’)
      kind: Rule
      services:
        - name: service-a
          port: 8080

In such a case, the request http://mydomain.example.com/admin%2F will reach the backend service-a without operating the middleware my-security-middleware and passing the security put in place for the /admin/ path.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.32
  • https://github.com/traefik/traefik/releases/tag/v3.6.4

For more information

If you have any questions or comments about this advisory, please open an issue.

<details>
<summary>Original Description</summary>### Summary
A vulnerability exists in Traefik’s path matching logic that allows attackers to bypass access-control middleware (e.g., blocking rules) by using URL-encoded paths. I found this vulnerability while playing PwnSec CTF 2025 with my team @0xL4ugh

Details

Traefik evaluates router rules before decoding or normalizing the request path, but forwards the request after decoding to the backend service. As a result, routes meant to block access to sensitive endpoints (such as internal, beta, or admin endpoints) can be trivially bypassed.

PoC

Traefik configuration used in this issue :
``[http.routers.flask-router-report-deny] entryPoints = [&quot;web&quot;] rule = &quot;PathPrefix(/report_note`)"
priority = 10
middlewares = ["block-access"]
service = "flask-service"

[http.middlewares.block-access.replacePathRegex]
regex = ".*"
replacement = "/blocked"

The intention is to block all access to /report_note.

However, the following request bypasses the block:

POST /%2freport_note HTTP/1.1
Host: localhost:62814

```

Impact

Access Control Bypass:
Any endpoint intended to be blocked (e.g., admin/debug/beta APIs) can be accessed by URL-encoding slashes or other characters.

This could lead to:

  • Unauthorized access to restricted endpoints
  • Execution of protected internal functionality
  • Potential privilege escalation
  • Bypass of security policies enforced via Traefik routing rules
    </details>

基本情報

タイプ
reviewed
深刻度
medium
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2025-12-08 16:42:30 UTC
更新
2025-12-17 00:44:52 UTC
GitHub レビュー済み
2025-12-08 16:42:30 UTC
NVD で公開
2025-12-08

EPSS Score

Score Percentile
0.02% 5.27%

CVSS Scores

Base score Version Severity Vector
6.9 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N クリックして展開
攻撃ベクター (AV:N)
インターネットや社内 WAN など、ルーティングされたネットワーク越しに遠隔から踏み台にしうる。
攻撃の複雑さ (AC:L)
手順が短く、再現性が高い。
攻撃要件 (AT:N)
到達性以外に、追加のインフラ条件やデータ前提は要らない。
必要な権限 (PR:N)
昇格やログインなしで踏み台にしうる。
ユーザーの関与 (UI:N)
被害者の操作なしでも攻撃が完結しうる。
脆弱システムの機密性への影響 (VC:N)
脆弱な対象から機微情報が読まれうる余地はほとんどない。
脆弱システムの完全性への影響 (VI:N)
改ざん・なりすましで信頼が揺らぐ局面はほとんど想定されない。
脆弱システムの可用性への影響 (VA:N)
業務を止めるほどの停止や劣化は想定しにくい。
後続システムの機密性への影響 (SC:L)
下流の一部資産について限定的な漏えいが起きうる。
後続システムの完全性への影響 (SI:L)
下流の一部コンポーネントで改ざんが起きうるが、全体信頼は保たれやすい。
後続システムの可用性への影響 (SA:N)
下流サービスが止まるほどの影響は想定しにくい。

Identifiers

CWEs

CWE id Name
CWE-436 Interpretation Conflict

Credits

  • ShadoooooW (reporter)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/traefik/traefik <= 1.7.34
go github.com/traefik/traefik/v2 < 2.11.32 2.11.32
go github.com/traefik/traefik/v3 < 3.6.3 3.6.3

References

cvelogic Threat Intelligence