{ "schema_version": "1.4.0", "id": "GHSA-6p68-w45g-48j7", "modified": "2025-04-25T14:41:49Z", "published": "2025-04-21T16:17:38Z", "aliases": [ "CVE-2025-32431" ], "summary": "Traefik has a possible vulnerability with the path matchers", "details": "## Impact\n\nThere is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.\n\nWhen Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a `/../` in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.\n\n## Example\n\n```yaml\napiVersion: traefik.io/v1alpha1\nkind: IngressRoute\nmetadata:\n name: my-service\nspec:\n routes:\n - match: PathPrefix(‘/service’)\n kind: Rule\n services:\n - name: service-a\n port: 8080\n middlewares:\n - name: my-middleware-a\n - match: PathPrefix(‘/service/sub-path’)\n kind: Rule\n services:\n - name: service-a\n port: 8080\n```\n\nIn such a case, the request `http://mydomain.example.com/service/sub-path/../other-path` will reach the backend `my-service-a` without operating the middleware `my-middleware-a` unless the computed path is `http://mydomain.example.com/service/other-path` and should be computes by the first router (operating `my-middleware-a`).\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.24\n- https://github.com/traefik/traefik/releases/tag/v3.3.6\n- https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2\n\n## Workaround\n\nAdd a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.\n\nExample: \n\n```yaml\nmatch: PathPrefix(`/service`) && !PathRegexp(`(?:(/\\.\\./)+.*)`)\n```\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).", "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/traefik/traefik" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "1.7.34" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/traefik/traefik/v2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.11.23" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/traefik/traefik/v3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.3.6" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/traefik/traefik/v3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.4.0-rc1" }, { "fixed": "3.4.0-rc2" } ] } ], "versions": [ "3.4.0-rc1" ] } ], "references": [ { "type": "WEB", "url": "https://github.com/traefik/traefik/security/advisories/GHSA-6p68-w45g-48j7" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32431" }, { "type": "WEB", "url": "https://github.com/traefik/traefik/pull/11684" }, { "type": "PACKAGE", "url": "https://github.com/traefik/traefik" }, { "type": "WEB", "url": "https://github.com/traefik/traefik/releases/tag/v2.11.24" }, { "type": "WEB", "url": "https://github.com/traefik/traefik/releases/tag/v3.3.6" }, { "type": "WEB", "url": "https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-21T16:17:38Z", "nvd_published_at": "2025-04-21T16:15:54Z" } }