CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-47952 – Traefik allows path traversal using url encoding
https://notcve.org/view.php?id=CVE-2025-47952
30 May 2025 — Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versio... • https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32431 – Traefik has a possible vulnerability with the path matchers
https://notcve.org/view.php?id=CVE-2025-32431
21 Apr 2025 — Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versi... • https://github.com/traefik/traefik/pull/11684 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52003 – X-Forwarded-Prefix Header still allows for Open Redirect in traefik
https://notcve.org/view.php?id=CVE-2024-52003
29 Nov 2024 — Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/traefik/traefik/pull/11253 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 1CVE-2024-45410 – HTTP client can remove the X-Forwarded headers in Traefik
https://notcve.org/view.php?id=CVE-2024-45410
19 Sep 2024 — Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed... • https://github.com/jphetphoumy/traefik-CVE-2024-45410-poc • CWE-345: Insufficient Verification of Data Authenticity CWE-348: Use of Less Trusted Source •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-39321 – Traefik vulnerable to bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes
https://notcve.org/view.php?id=CVE-2024-39321
05 Jul 2024 — Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available. Traefik es un proxy inverso HTTP y un equilibrador de carga. • https://github.com/traefik/traefik/releases/tag/v2.11.6 • CWE-639: Authorization Bypass Through User-Controlled Key •