GHSA-vrch-868g-9jx5

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
spec:
  routes:
    - match: PathPrefix(‘/service’)
      kind: Rule
      services:
        - name: service-a
          port: 8080
      middlewares:
        - name: my-middleware-a
    - match: PathPrefix(‘/service/sub-path’)
      kind: Rule
      services:
        - name: service-a
          port: 8080

In such a case, the request http://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.25
• https://github.com/traefik/traefik/releases/tag/v3.4.1

For more information

If you have any questions or comments about this advisory, please open an issue.

<details> <summary>Original Description</summary>

Summary

Path traversal with "/../" using URL encodings ("/%2e%2e") allows for circumventing routing rules.

Details

When having defined a route, you can path traverse using the URL encoded variant of /../ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /../ and has been fixed in this CVE. This URL encoding trick works around that https://nvd.nist.gov/vuln/detail/CVE-2025-32431

Simply implementing a check on the URL encoding won't be sufficient as path traversal can take numerous formats. See examples here: https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html

PoC

Setup a service with two endpoints: "/public" and "/private", which returns a 200 OK for both Setup a Traefik proxy with a single route which points to the service using path /public

Regular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik) When making a request to /public/%2e%2e/private you should receive a 200 OK.

Impact

Impacts all traefik implementations with path prefix routes that expose only part of the downstream api

Suggestion

Provide configuration property which disables all path traversals. Steps: 1. Decode URL 2. Evaluate and construct relative path (do traversal before route evaluation) 3. Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp) </details>