CVE-2025-32431 — Path Traversal in Traefik

CWE-22 — Path Traversal5 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 36.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Traefik Github.com Traefik Traefik V2 Github.com Traefik Traefik V3 +1 more

Timeline

PublishedApr 21

Latest updateApr 22

Description

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patc…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶CVEListV5traefik/traefik< 2.11.24+2

▶NVDtraefik/traefik3.0.0 — 3.3.6+2

▶Gogithub.com/traefik_traefik_v2< 2.11.23

▶Gogithub.com/traefik_traefik_v33.4.0-rc1 — 3.4.0-rc2+1

▶Gogithub.com/traefik_traefik1.7.34

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Traefik has a possible vulnerability with the path matchers in github.com/traefik/traefik↗2025-04-22

▶

GHSA

Traefik has a possible vulnerability with its path matchers↗2025-04-21

▶

OSV

Traefik has a possible vulnerability with its path matchers↗2025-04-21

▶

CVEList

Traefik has a possible vulnerability with the path matchers↗2025-04-21

▶