CVE-2025-54386

moderate-risk
Published 2025-08-02

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

Do I need to act?

-
1.00% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Traefik

References (6)

Patch https://github.com/traefik/plugin-service/pull/71
Patch https://github.com/traefik/plugin-service/pull/72
Patch https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a88...
Patch https://github.com/traefik/traefik/pull/11911
Release Notes https://github.com/traefik/traefik/releases/tag/v2.11.28
Vendor Advisory https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg
45
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 3/34 · Minimal
Exposure 10/34 · Low