Traefik’s StripPrefix middleware can allow an unauthenticated attacker to bypass route‑level authentication and authorization. In versions prior to 2.11.48, 3.6.19, and 3.7.3, a public router that matches a PathPrefix rule and applies the StripPrefix middleware may accept a request path containing .. or its percent‑encoded form %2e%2e. The request is routed to the public route; after the prefix is stripped and the path normalized, it resolves to a path served by a separate, authenticated router, enabling access to protected backend paths such as admin or internal configuration endpoints without satisfying the authentication middleware attached to the protected router. This flaw provides direct unauthorized access to routes protected by authentication and authorization middlewares. The vulnerability is fixed in the specified releases.

Traefik versions earlier than 2.11.48, 3.6.19, and 3.7.3 are affected. Any deployment using a public router with a PathPrefix rule combined with the StripPrefix middleware in those versions is vulnerable. Upgrading to the specified releases or later resolves the issue.

The vulnerability has a CVSS score of 7.8, indicating high severity. The EPSS score is not available, so the current exploitation probability cannot be quantified. The flaw is not listed in the CISA KEV catalog, but it permits remote attackers to send crafted HTTP requests to the Traefik instance. Because no local privilege escalation or user authentication is required, an attacker can reach protected paths simply by constructing a request path that includes .. or its percent‑encoded form.