GHSA-gm3x-23wp-hc2c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gm3x-23wp-hc2c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-gm3x-23wp-hc2c/GHSA-gm3x-23wp-hc2c.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-gm3x-23wp-hc2c
- Aliases
-
- CVE-2025-66490
- Published
- 2025-12-08T16:42:30Z
- Modified
- 2025-12-08T16:56:16.563737Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Path Normalization Bypass in Traefik Router + Middleware Rules
- Details
-
Impact
There is a potential vulnerability in Traefik managing the requests using a
PathPrefix,PathorPathRegexmatcher.When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set ('/', '\', 'Null', ';', '?', '#'), it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.
Example
apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: my-service spec: routes: - match: PathPrefix(‘/admin/’) kind: Rule services: - name: service-a port: 8080 middlewares: - name: my-security-middleware - match: PathPrefix(‘/’) kind: Rule services: - name: service-a port: 8080In such a case, the request
http://mydomain.example.com/admin%2Fwill reach the backendservice-awithout operating the middlewaremy-security-middlewareand passing the security put in place for the/admin/path.Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.32
- https://github.com/traefik/traefik/releases/tag/v3.6.4
For more information
If you have any questions or comments about this advisory, please open an issue.
<details> <summary>Original Description</summary>### Summary A vulnerability exists in Traefik’s path matching logic that allows attackers to bypass access-control middleware (e.g., blocking rules) by using URL-encoded paths. I found this vulnerability while playing PwnSec CTF 2025 with my team @0xL4ugh
Details
Traefik evaluates router rules before decoding or normalizing the request path, but forwards the request after decoding to the backend service. As a result, routes meant to block access to sensitive endpoints (such as internal, beta, or admin endpoints) can be trivially bypassed.
PoC
Traefik configuration used in this issue : ``
[http.routers.flask-router-report-deny] entryPoints = ["web"] rule = "PathPrefix(/report_note`)" priority = 10 middlewares = ["block-access"] service = "flask-service"[http.middlewares.block-access.replacePathRegex] regex = ".*" replacement = "/blocked"
The intention is to block all access to /report_note. However, the following request bypasses the block:POST /%2freport_note HTTP/1.1 Host: localhost:62814
```
Impact
Access Control Bypass: Any endpoint intended to be blocked (e.g., admin/debug/beta APIs) can be accessed by URL-encoding slashes or other characters.
This could lead to:
- Unauthorized access to restricted endpoints
- Execution of protected internal functionality
- Potential privilege escalation
- Bypass of security policies enforced via Traefik routing rules </details>
- Database specific
{ "github_reviewed": true, "nvd_published_at": null, "severity": "MODERATE", "cwe_ids": [ "CWE-436" ], "github_reviewed_at": "2025-12-08T16:42:30Z" }- References
Affected packages
Go / github.com/traefik/traefik/v3
Package
- Name
- github.com/traefik/traefik/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/traefik/traefik/v3
Go / github.com/traefik/traefik/v2
Package
- Name
- github.com/traefik/traefik/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/traefik/traefik/v2
Go / github.com/traefik/traefik
Package
- Name
- github.com/traefik/traefik
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/traefik/traefik