GHSA-6p68-w45g-48j7

Опубликовано: 21 апр. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.8

Описание

Traefik has a possible vulnerability with its path matchers

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: my-service spec: routes: - match: PathPrefix(‘/service’) kind: Rule services: - name: service-a port: 8080 middlewares: - name: my-middleware-a - match: PathPrefix(‘/service/sub-path’) kind: Rule services: - name: service-a port: 8080

In such a case, the request http://mydomain.example.com/service/sub-path/../other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).

Patches

Workaround

Add a PathRegexp rule to the matcher to prevent matching a route with a /../ in the path.

Example:

match: PathPrefix(`/service`) && !PathRegexp(`(?:(/\.\./)+.*)`)

For more information

If you have any questions or comments about this advisory, please open an issue.

Ссылки

Пакеты

Наименование

github.com/traefik/traefik

Затронутые версииВерсия исправления

<= 1.7.34

Отсутствует

Наименование

github.com/traefik/traefik/v2

Затронутые версииВерсия исправления

< 2.11.23

2.11.23

Наименование

github.com/traefik/traefik/v3

Затронутые версииВерсия исправления

< 3.3.6

3.3.6

Наименование

github.com/traefik/traefik/v3

Затронутые версииВерсия исправления

= 3.4.0-rc1

3.4.0-rc2

EPSS

Процентиль: 22%

0.0007

Низкий

8.8 High

CVSS4

CVE ID

CVE-2025-32431

Дефекты

CWE-22

Связанные уязвимости

CVE-2025-32431

CVSS3: 9.1

nvd

10 месяцев назад

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.

CVE-2025-32431

CVSS3: 9.1

debian

10 месяцев назад

Traefik (pronounced traffic) is an HTTP reverse proxy and load balance ...

BDU:2026-00344

CVSS3: 7.6

fstec

10 месяцев назад

Уязвимость обратного прокси сервера Containous Traefik, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю раскрыть защищаемую информацию

EPSS

Процентиль: 22%

0.0007

Низкий

8.8 High

CVSS4

CVE ID

CVE-2025-32431

Дефекты

CWE-22