CVE-2025-54386
📋 TL;DR
A path traversal vulnerability in Traefik's WASM plugin installation mechanism allows attackers to overwrite arbitrary system files by uploading malicious ZIP archives containing directory traversal sequences (../). This can lead to remote code execution, privilege escalation, or denial of service. Affected users include anyone running vulnerable Traefik versions with plugin installation enabled.
💻 Affected Systems
- Traefik
📦 What is this software?
Traefik by Traefik
Traefik by Traefik
Traefik by Traefik
Traefik by Traefik
Traefik by Traefik
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and persistent backdoor installation.
Likely Case
File system corruption, denial of service, or limited code execution depending on attacker's access and privileges.
If Mitigated
Limited impact if plugin installation is disabled or proper file permissions restrict write access to critical directories.
🎯 Exploit Status
Exploitation requires uploading a malicious ZIP file to the plugin installation endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.28, 3.4.5, and 3.5.0
Vendor Advisory: https://github.com/traefik/traefik/releases/tag/v2.11.28
Restart Required: Yes
Instructions:
1. Identify current Traefik version. 2. Upgrade to patched version (2.11.28, 3.4.5, or 3.5.0). 3. Restart Traefik service. 4. Verify version update.
🔧 Temporary Workarounds
Disable plugin installation
allDisable WASM plugin installation functionality if not required.
Modify Traefik configuration to remove or disable plugin installation endpoints
Restrict plugin upload access
allImplement network-level restrictions to limit access to plugin installation endpoints.
Configure firewall rules to restrict access to Traefik plugin endpoints
🧯 If You Can't Patch
- Disable plugin installation functionality entirely
- Implement strict network segmentation and access controls for Traefik instances
🔍 How to Verify
Check if Vulnerable:
Check Traefik version against affected ranges and verify plugin installation is enabled.Check Version:
traefik versionVerify Fix Applied:
Confirm Traefik version is 2.11.28, 3.4.5, or 3.5.0+ and test plugin installation with traversal payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual plugin installation attempts
- File write operations outside plugin directory
- ZIP file uploads with ../ sequences
Network Indicators:
- HTTP requests to plugin installation endpoints with ZIP payloads
SIEM Query:
source="traefik" AND ("plugin" OR "upload" OR "zip") AND ("..\/" OR "../")🔗 References
- https://github.com/traefik/plugin-service/pull/71
- https://github.com/traefik/plugin-service/pull/72
- https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800
- https://github.com/traefik/traefik/pull/11911
- https://github.com/traefik/traefik/releases/tag/v2.11.28
- https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg
