Headline
GHSA-q6gg-9f92-r9wg: Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
Summary
A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.
✅ After investigation, it is confirmed that no plugins on the Catalog were affected. There is no known impact.
Details
The vulnerability resides in the WASM plugin extraction logic, specifically in the unzipFile function (/plugins/client.go). The application constructs file paths during ZIP extraction using filepath.Join(destDir, f.Name) without validating or sanitizing f.Name. If the ZIP archive contains entries with ../, the resulting path can escape the intended directory, allowing writes to arbitrary locations on the host filesystem.
Attack Requirements
There are several requirements needed to make this attack possible:
- The Traefik server should be deployed with plugins enabled with a WASM plugin (yaegi plugins are not impacted).
- The attacker should have write access to a remote plugin asset loaded by the Traefik server
- The attacker should craft a malicious version of this plugin
Warning
As clearly stated in the documentation, plugins are experimental in Traefik, and unsafe plugins could damage your infrastructure:
Experimental Features Plugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.
Impact
This vulnerability did not affect any plugin from the catalog. There is no known impact.
Additionally, the catalog will also prevent any compromised plugin to be available across all Traefik versions.
This vulnerability could allow an attacker to perform arbitrary file write outside the intended plugin extraction directory by crafting a malicious ZIP archive that includes ../ (directory traversal) in file paths.
Summary
A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with …/ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.
✅ After investigation, it is confirmed that no plugins on the Catalog were affected. There is no known impact.
Details
The vulnerability resides in the WASM plugin extraction logic, specifically in the unzipFile function (/plugins/client.go). The application constructs file paths during ZIP extraction using filepath.Join(destDir, f.Name) without validating or sanitizing f.Name. If the ZIP archive contains entries with …/, the resulting path can escape the intended directory, allowing writes to arbitrary locations on the host filesystem.
Attack Requirements
There are several requirements needed to make this attack possible:
- The Traefik server should be deployed with plugins enabled with a WASM plugin (yaegi plugins are not impacted).
- The attacker should have write access to a remote plugin asset loaded by the Traefik server
- The attacker should craft a malicious version of this plugin
Warning
As clearly stated in the documentation, plugins are experimental in Traefik, and unsafe plugins could damage your infrastructure:
Experimental Features
Plugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.
Impact
This vulnerability did not affect any plugin from the catalog. There is no known impact.
Additionally, the catalog will also prevent any compromised plugin to be available across all Traefik versions.
This vulnerability could allow an attacker to perform arbitrary file write outside the intended plugin extraction directory by crafting a malicious ZIP archive that includes …/ (directory traversal) in file paths.
References
- GHSA-q6gg-9f92-r9wg
- traefik/plugin-service#71
- traefik/plugin-service#72
- traefik/traefik#11911
- traefik/traefik@5ef853a
- https://github.com/traefik/traefik/releases/tag/v2.11.28