X-Forwarded-Prefix Header still allows for Open Redirect in traefik
Description
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Traefik fails to properly sanitize the X-Forwarded-Prefix header, allowing an attacker to inject an absolute URL and perform an open redirect.
Vulnerability
CVE-2024-52003 is an open redirect vulnerability in Traefik, an HTTP reverse proxy and load balancer. The root cause is an incomplete fix for a previously reported open redirect (GHSA-6qq8-5wq3-86rp) [3]. The safePrefix function, which validates the X-Forwarded-Prefix header, can be tricked into returning an absolute URL when the header contains certain payloads such as %0d//a.com or %2f%2fa.com [3]. This occurs because after URL parsing, the function returns only the path component, but an attacker can craft the header so that the parsed path is an absolute URL (e.g., //a.com) [3].
Exploitation
An attacker can exploit this by sending an HTTP request to a Traefik instance with a malicious X-Forwarded-Prefix header. For example, curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com' results in a 302 redirect to //a.com/dashboard/ [3]. The attacker does not require authentication or special privileges; the vulnerability is triggered by any inbound HTTP request that reaches Traefik's API dashboard component [3]. The attack surface is limited to scenarios where Traefik is configured to trust the X-Forwarded-Prefix header from clients, as is common in reverse proxy deployments [1][2].
Impact
Successful exploitation allows an attacker to redirect users to an arbitrary external domain, which can be leveraged for phishing, credential theft, or other client-side attacks [3]. In cache poisoning scenarios, the open redirect may be further exploitable to poison web caches and deliver malicious content to multiple users [3]. The vulnerability does not directly compromise the Traefik server itself, but it undermines the integrity of the redirect functionality.
Mitigation
Traefik has released patched versions 2.11.14 and 3.2.1 that address this issue by dropping untrusted X-Forwarded-Prefix headers [1][4]. Users are strongly advised to upgrade to these or later versions [1]. There are no known workarounds for this vulnerability [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefik/v2Go | < 2.11.14 | 2.11.14 |
github.com/traefik/traefik/v3Go | < 3.2.1 | 3.2.1 |
Affected products
6- osv-coords4 versionspkg:apk/chainguard/traefik-2.11pkg:golang/github.com/traefik/traefik/v2pkg:golang/github.com/traefik/traefik/v3pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 2.11.14-r0+ 3 more
- (no CPE)range: < 2.11.14-r0
- (no CPE)range: < 2.11.14
- (no CPE)range: < 3.2.1
- (no CPE)range: < 0.0.20241209T183251-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-h924-8g65-j9wgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52003ghsaADVISORY
- github.com/traefik/traefik/pull/11253ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v2.11.14ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.2.1ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.