Headline
GHSA-vrch-868g-9jx5: Traefik allows path traversal using url encoding
Impact
There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.
Example
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: my-service
spec:
routes:
- match: PathPrefix(‘/service’)
kind: Rule
services:
- name: service-a
port: 8080
middlewares:
- name: my-middleware-a
- match: PathPrefix(‘/service/sub-path’)
kind: Rule
services:
- name: service-a
port: 8080
In such a case, the request http://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.25
- https://github.com/traefik/traefik/releases/tag/v3.4.1
For more information
If you have any questions or comments about this advisory, please open an issue.
<details> <summary>Original Description</summary>
Summary
Path traversal with “/…/” using URL encodings (“/%2e%2e”) allows for circumventing routing rules.
Details
When having defined a route, you can path traverse using the URL encoded variant of /…/ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /…/ and has been fixed in this CVE. This URL encoding trick works around that https://nvd.nist.gov/vuln/detail/CVE-2025-32431
Simply implementing a check on the URL encoding won’t be sufficient as path traversal can take numerous formats. See examples here: https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html
PoC
Setup a service with two endpoints: “/public” and "/private", which returns a 200 OK for both Setup a Traefik proxy with a single route which points to the service using path /public
Regular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik) When making a request to /public/%2e%2e/private you should receive a 200 OK.
Impact
Impacts all traefik implementations with path prefix routes that expose only part of the downstream api
Suggestion
Provide configuration property which disables all path traversals. Steps:
- Decode URL
- Evaluate and construct relative path (do traversal before route evaluation)
- Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp) </details>
Impact
There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.
When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.
Example
apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: my-service spec: routes: - match: PathPrefix(‘/service’) kind: Rule services: - name: service-a port: 8080 middlewares: - name: my-middleware-a - match: PathPrefix(‘/service/sub-path’) kind: Rule services: - name: service-a port: 8080
In such a case, the request http://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.25
- https://github.com/traefik/traefik/releases/tag/v3.4.1
For more information
If you have any questions or comments about this advisory, please open an issue.
Original Description ### Summary
Path traversal with “/…/” using URL encodings (“/%2e%2e”) allows for circumventing routing rules.
Details
When having defined a route, you can path traverse using the URL encoded variant of /…/ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /…/ and has been fixed in this CVE. This URL encoding trick works around that
https://nvd.nist.gov/vuln/detail/CVE-2025-32431
Simply implementing a check on the URL encoding won’t be sufficient as path traversal can take numerous formats. See examples here:
https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html
PoC
Setup a service with two endpoints: “/public” and "/private", which returns a 200 OK for both
Setup a Traefik proxy with a single route which points to the service using path /public
Regular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik)
When making a request to /public/%2e%2e/private you should receive a 200 OK.
Impact
Impacts all traefik implementations with path prefix routes that expose only part of the downstream api
Suggestion
Provide configuration property which disables all path traversals. Steps:
- Decode URL
- Evaluate and construct relative path (do traversal before route evaluation)
- Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp)
### References - https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5 - https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00 - https://github.com/traefik/traefik/releases/tag/v2.11.25 - https://github.com/traefik/traefik/releases/tag/v3.4.1