cbcvebase.
CVE-2025-54386
published 2025-08-02

CVE-2025-54386: Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.03%
59.6th percentile
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

Affected

8 ranges
VendorProductVersion rangeFixed in
github.comtraefik_traefik_v2>= 0 < 2.11.282.11.28
github.comtraefik_traefik_v3>= 0 < 3.4.53.4.5
github.comtraefik_traefik_v3>= 3.5.0-rc1 < 3.5.03.5.0
traefiktraefik< 2.11.72.11.7
traefiktraefik<= 2.11.27, < 2.11.28
traefiktraefik
traefiktraefik
traefiktraefik>= 3.0.0 < 3.4.43.4.4

Detection & IOCsextracted from sources · hover to see the quote

  • Look for ZIP archives containing file paths with '../' sequences being submitted to Traefik's plugin installation mechanism, indicating a path traversal attempt.
  • Monitor for unexpected file writes outside of the Traefik plugin directory, which may indicate successful exploitation of the path traversal vulnerability.
  • ·Red Hat notes no viable mitigation is available short of patching; operators should prioritize upgrading to 2.11.28, 3.4.5, or 3.5.0.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.