high
8.8
CWE
22
EPSS
0.069%
Advisory Published
Advisory Published
Updated

CVE-2025-32431: Traefik has a possible vulnerability with the path matchers

First published: Mon Apr 21 2025(Updated: )

## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. ## Example ```yaml apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: my-service spec: routes: - match: PathPrefix(‘/service’) kind: Rule services: - name: service-a port: 8080 middlewares: - name: my-middleware-a - match: PathPrefix(‘/service/sub-path’) kind: Rule services: - name: service-a port: 8080 ``` In such a case, the request `http://mydomain.example.com/service/sub-path/../other-path` will reach the backend `my-service-a` without operating the middleware `my-middleware-a` unless the computed path is `http://mydomain.example.com/service/other-path` and should be computes by the first router (operating `my-middleware-a`). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.24 - https://github.com/traefik/traefik/releases/tag/v3.3.6 - https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2 ## Workaround Add a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path. Example: ```yaml match: PathPrefix(`/service`) && !PathRegexp(`(?:(/\.\./)+.*)`) ``` ## For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Traefik<2.11.24<3.3.6<3.4.0-rc2
go/github.com/traefik/traefik/v3=3.4.0-rc1
3.4.0-rc2
go/github.com/traefik/traefik/v3<3.3.6
3.3.6
go/github.com/traefik/traefik/v2<2.11.23
2.11.23
go/github.com/traefik/traefik<=1.7.34

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-32431?

    CVE-2025-32431 has the potential to lead to unauthorized access under certain configurations.

  • How do I fix CVE-2025-32431?

    To address CVE-2025-32431, upgrade Traefik to version 2.11.24 or later, or 3.3.6 or later.

  • What versions are affected by CVE-2025-32431?

    CVE-2025-32431 affects Traefik versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2.

  • What configurations are vulnerable in CVE-2025-32431?

    CVE-2025-32431 is vulnerable when Traefik is configured to manage requests using PathPrefix, Path, or PathRegex matchers.

  • Is CVE-2025-32431 a zero-day vulnerability?

    CVE-2025-32431 is not classified as a zero-day vulnerability since it has been disclosed and a fix is available.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203