CVE-2025-54386
published 2025-08-02CVE-2025-54386: Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.03%
59.6th percentile
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik_v2 | >= 0 < 2.11.28 | 2.11.28 |
| github.com | traefik_traefik_v3 | >= 0 < 3.4.5 | 3.4.5 |
| github.com | traefik_traefik_v3 | >= 3.5.0-rc1 < 3.5.0 | 3.5.0 |
| traefik | traefik | < 2.11.7 | 2.11.7 |
| traefik | traefik | <= 2.11.27, < 2.11.28 | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
| traefik | traefik | >= 3.0.0 < 3.4.4 | 3.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for ZIP archives containing file paths with '../' sequences being submitted to Traefik's plugin installation mechanism, indicating a path traversal attempt. ↗
- →Monitor for unexpected file writes outside of the Traefik plugin directory, which may indicate successful exploitation of the path traversal vulnerability. ↗
- ·Red Hat notes no viable mitigation is available short of patching; operators should prioritize upgrading to 2.11.28, 3.4.5, or 3.5.0. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution in github.com/traefik/traefik
osv·2025-08-11
CVE-2025-54386 Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution in github.com/traefik/traefik
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution in github.com/traefik/traefik
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution in github.com/traefik/traefik
OSV
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
osv·2025-08-01
CVE-2025-54386 [HIGH] Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
### Summary
A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.
**✅ After investigation, it is confirmed that no plugins on the [Catalog](https://plugins.traefik.io/plugins) were affected. There is no known impact.**
### Details
The vulnerability resides in the WASM plugin extraction logic, specifically in the `unzipFile` function (`/plugins/client.g
GHSA
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
ghsa·2025-08-01
CVE-2025-54386 [HIGH] CWE-22 Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
### Summary
A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.
**✅ After investigation, it is confirmed that no plugins on the [Catalog](https://plugins.traefik.io/plugins) were affected. There is no known impact.**
### Details
The vulnerability resides in the WASM plugin extraction logic, specifically in the `unzipFile` function (`/plugins/client.g
Red Hat
traefik: Traefik's Client Plugin is Vulnerable to Path Traversal, Arbitrary File Overwrites and Remote Code Execution
vendor_redhat·2025-08-01·CVSS 7.3
CVE-2025-54386 [HIGH] CWE-22 traefik: Traefik's Client Plugin is Vulnerable to Path Traversal, Arbitrary File Overwrites and Remote Code Execution
traefik: Traefik's Client Plugin is Vulnerable to Path Traversal, Arbitrary File Overwrites and Remote Code Execution
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.
A flaw was found in Traefik's plugin installation mechanism. This vulnerability allows remote code execution, privilege escal
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/traefik/plugin-service/pull/71https://github.com/traefik/plugin-service/pull/72https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800https://github.com/traefik/traefik/pull/11911https://github.com/traefik/traefik/releases/tag/v2.11.28https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg
2025-08-02
Published