Impact
Traefik is an HTTP reverse proxy and load balancer. In versions prior to 2.11.48, 3.6.19, and 3.7.3, the StripPrefix middleware allows an unauthenticated attacker to bypass route‑level authentication and authorization. By sending a request path containing .. or the percent‑encoded %2e%2e, the request matches a public router with a PathPrefix rule during routing. After the prefix is stripped and the path is normalized, it resolves to a path served by a different authenticated router, enabling the attacker to reach protected backend paths such as admin or internal configuration endpoints without satisfying any attached authentication middleware. This flaw is classified as a CWE‑288 privilege management error and a CWE‑22 path traversal vulnerability.
Affected Systems
Traefik versions earlier than 2.11.48, 3.6.19, and 3.7.3 are affected. Any deployment using a public router with a PathPrefix rule combined with the StripPrefix middleware in those versions is vulnerable. Upgrading to the specified releases or later resolves the issue.
Risk and Exploitability
The vulnerability has a CVSS score of 7.8, indicating high severity. The EPSS score is less than 1%, indicating a low but nonzero likelihood of exploitation. The flaw permits an unauthenticated attacker to bypass route‑level authentication and authorization by manipulating request paths containing .. or %2e%2e, a path traversal technique (CWE‑22) and a privilege management error (CWE‑288). It is not listed in the CISA KEV catalog, but can be exploited by sending crafted HTTP requests to a Traefik instance because no local privilege escalation or user authentication is required.
OpenCVE Enrichment
Github GHSA