CWE
22
Advisory Published
Updated

GHSA-6p68-w45g-48j7: Path Traversal

First published: Mon Apr 21 2025(Updated: )

## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. ## Example ```yaml apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: my-service spec: routes: - match: PathPrefix(‘/service’) kind: Rule services: - name: service-a port: 8080 middlewares: - name: my-middleware-a - match: PathPrefix(‘/service/sub-path’) kind: Rule services: - name: service-a port: 8080 ``` In such a case, the request `http://mydomain.example.com/service/sub-path/../other-path` will reach the backend `my-service-a` without operating the middleware `my-middleware-a` unless the computed path is `http://mydomain.example.com/service/other-path` and should be computes by the first router (operating `my-middleware-a`). ## Patches - https://github.com/traefik/traefik/releases/tag/v2.11.24 - https://github.com/traefik/traefik/releases/tag/v3.3.6 - https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2 ## Workaround Add a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path. Example: ```yaml match: PathPrefix(`/service`) && !PathRegexp(`(?:(/\.\./)+.*)`) ``` ## For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).

Affected SoftwareAffected VersionHow to fix
go/github.com/traefik/traefik/v3=3.4.0-rc1
3.4.0-rc2
go/github.com/traefik/traefik/v3<3.3.6
3.3.6
go/github.com/traefik/traefik/v2<2.11.23
2.11.23
go/github.com/traefik/traefik<=1.7.34

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the CVE ID for the vulnerability GHSA-6p68-w45g-48j7?

    The CVE ID for the vulnerability GHSA-6p68-w45g-48j7 has not been assigned a corresponding CVE.

  • What is the severity of GHSA-6p68-w45g-48j7?

    The severity of GHSA-6p68-w45g-48j7 is categorized as a potential vulnerability affecting the request handling in Traefik.

  • How do I fix GHSA-6p68-w45g-48j7?

    To fix GHSA-6p68-w45g-48j7, upgrade to Traefik version 3.4.0-rc2, 3.3.6, or 2.11.23 or later.

  • What specific components are affected by GHSA-6p68-w45g-48j7?

    GHSA-6p68-w45g-48j7 affects Traefik versions prior to 3.4.0-rc2, 3.3.6, and 2.11.23.

  • What issue does GHSA-6p68-w45g-48j7 address?

    GHSA-6p68-w45g-48j7 addresses a vulnerability related to improper path handling in Traefik's routing.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203