Traefik has a possible vulnerability with the path matchers
Description
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a PathRegexp rule to the matcher to prevent matching a route with a /../ in the path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Traefik path normalization flaw allows URL path traversal to bypass middleware chains via /../ sequences.
Vulnerability
Traefik, a popular HTTP reverse proxy and load balancer, contains a path traversal vulnerability in versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. The issue affects routers using PathPrefix, Path, or PathRegex matchers: when Traefik is configured to route requests to a backend based on a path matcher, a URL containing /../ segments can be normalized, causing the request to be routed to a different backend than intended [1][3].
Exploitation
An attacker can craft an HTTP request with a path like /service/sub-path/../other-path. If the first router expects a path prefix such as /service and a second router expects /service/sub-path, the traversal sequence will cause Traefik to resolve the request to the first router while bypassing any middlewares (e.g., authentication or rate-limiting) that were attached to the second router. The workaround suggested by the vendor is adding a PathRegexp rule to explicitly reject paths containing /../ [3].
Impact
Successful exploitation allows an attacker to reach backend services that should be protected by a middleware chain, effectively bypassing security controls. This could lead to unauthorized access to sensitive functionality or data exposed via those backends.
Mitigation
The vulnerability is fixed in Traefik versions 2.11.24, 3.3.6, and 3.4.0-rc2 [1][3]. Users unable to update immediately should apply the provided workaround: insert a PathRegexp matcher rule to block URLs containing /../ (e.g., !PathRegexp("(?:(/\.\./)+.*)")) into their route definitions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/traefik/traefikGo | <= 1.7.34 | — |
github.com/traefik/traefik/v2Go | < 2.11.23 | 2.11.23 |
github.com/traefik/traefik/v3Go | < 3.3.6 | 3.3.6 |
github.com/traefik/traefik/v3Go | >= 3.4.0-rc1, < 3.4.0-rc2 | 3.4.0-rc2 |
Affected products
7- ghsa-coords5 versionspkg:golang/github.com/traefik/traefikpkg:golang/github.com/traefik/traefik/v2pkg:golang/github.com/traefik/traefik/v3pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/traefik2&distro=openSUSE%20Tumbleweed
<= 1.7.34+ 4 more
- (no CPE)range: <= 1.7.34
- (no CPE)range: < 2.11.23
- (no CPE)range: < 3.3.6
- (no CPE)range: < 0.0.20250422T181640-1.1
- (no CPE)range: < 2.11.26-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-6p68-w45g-48j7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32431ghsaADVISORY
- github.com/traefik/traefik/pull/11684ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v2.11.24ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.3.6ghsax_refsource_MISCWEB
- github.com/traefik/traefik/releases/tag/v3.4.0-rc2ghsax_refsource_MISCWEB
- github.com/traefik/traefik/security/advisories/GHSA-6p68-w45g-48j7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.