CVE-2025-32431

moderate-risk

Published 2025-04-21

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.

Do I need to act?

0.44% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (3)

Traefik

Affected Vendors

Traefik

References (5)

Patch https://github.com/traefik/traefik/pull/11684

Release Notes https://github.com/traefik/traefik/releases/tag/v2.11.24

Release Notes https://github.com/traefik/traefik/releases/tag/v3.3.6

Release Notes https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2

Patch https://github.com/traefik/traefik/security/advisories/GHSA-6p68-w45g-48j7

/ 100

moderate-risk

Severity 31/34 · Critical

Exploitability 2/34 · Minimal

Exposure 9/34 · Low