CVE-2025-47952
📋 TL;DR
This vulnerability in Traefik allows attackers to bypass router path matching rules by using URL-encoded strings in request paths. This could enable access to backend services that should be protected by middlewares like authentication or rate limiting. All Traefik deployments using PathPrefix, Path, or PathRegex matchers are affected.
💻 Affected Systems
- Traefik
📦 What is this software?
Traefik by Traefik
Traefik by Traefik
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass authentication, authorization, or security middlewares to access sensitive backend services, potentially leading to data exposure or unauthorized actions.
Likely Case
Unauthorized access to backend services that should be protected by security middlewares, potentially exposing internal APIs or applications.
If Mitigated
Limited impact if additional network segmentation or application-level controls exist, but still represents a configuration bypass vulnerability.
🎯 Exploit Status
Exploitation requires sending specially crafted URLs with URL-encoded path components to bypass router matching.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.25 or 3.4.1
Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5
Restart Required: Yes
Instructions:
1. Identify your Traefik version. 2. Upgrade to 2.11.25 if using Traefik 2.x. 3. Upgrade to 3.4.1 if using Traefik 3.x. 4. Restart Traefik service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
URL Path Sanitization Middleware
allImplement custom middleware to decode and normalize URL paths before routing decisions
Network Segmentation
allIsolate Traefik instances and limit backend access through additional firewall rules
🧯 If You Can't Patch
- Implement strict network access controls between Traefik and backend services
- Add application-level authentication/authorization in backend services as defense in depth
🔍 How to Verify
Check if Vulnerable:
Check if your Traefik version is below 2.11.25 (for v2) or below 3.4.1 (for v3) and uses path-based routing matchersCheck Version:
traefik versionVerify Fix Applied:
After upgrading, test that URL-encoded paths no longer bypass router matching by attempting to access protected routes with encoded characters📡 Detection & Monitoring
Log Indicators:
- Requests with URL-encoded characters in paths accessing unexpected backends
- Access logs showing successful requests to routes that should be blocked
Network Indicators:
- Unusual traffic patterns to backend services from Traefik
- Requests containing %2F, %2E, or other URL-encoded path separators
SIEM Query:
source="traefik" AND (url_path="*%*" OR status_code=200) AND NOT expected_route