CVE-2025-66490
📋 TL;DR
Traefik reverse proxy versions prior to 2.11.32 and 3.6.3 have a path normalization bypass vulnerability. Attackers can use URL-encoded characters to bypass security middleware and access restricted backend services. This affects all deployments using path-based routing with PathPrefix, Path, or PathRegex matchers.
💻 Affected Systems
- Traefik
📦 What is this software?
Traefik by Traefik
Traefik by Traefik
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass authentication/authorization middleware to access sensitive admin interfaces or internal services, potentially leading to data breaches or system compromise.
Likely Case
Unauthorized access to backend services that should be protected by security middleware, potentially exposing sensitive data or functionality.
If Mitigated
Limited impact if additional security controls exist at backend services or network segmentation prevents lateral movement.
🎯 Exploit Status
Exploitation requires knowledge of protected paths and uses simple URL encoding techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.32 or 3.6.3
Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Traefik to version 2.11.32 or 3.6.3 using your package manager or download from GitHub releases. 3. Restart Traefik service. 4. Verify the update with 'traefik version' command.
🔧 Temporary Workarounds
WAF Rule for URL-encoded Path Bypass
allAdd Web Application Firewall rules to block requests with URL-encoded restricted characters in paths
# Example ModSecurity rule: SecRule REQUEST_URI "@rx %2F|%5C|%00|%3B|%3F|%23" "id:1001,phase:1,deny,status:403,msg:'Path bypass attempt'"
# Example nginx rule: if ($request_uri ~* "%2F|%5C|%00|%3B|%3F|%23") { return 403; }
Backend Service Authentication
allImplement authentication/authorization at backend services as defense-in-depth
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable Traefik instances from sensitive backend services
- Deploy a secondary reverse proxy in front of Traefik with proper path normalization
🔍 How to Verify
Check if Vulnerable:
Test by sending requests with URL-encoded characters to protected paths (e.g., /admin%2F instead of /admin/) and checking if they bypass middlewareCheck Version:
traefik versionVerify Fix Applied:
After patching, repeat the same test requests - they should now be properly blocked by security middleware📡 Detection & Monitoring
Log Indicators:
- Requests with URL-encoded restricted characters in paths (%, 2F, %5C, %00, %3B, %3F, %23)
- Access to protected paths without corresponding middleware execution logs
Network Indicators:
- HTTP requests containing %2F, %5C, %00, %3B, %3F, or %23 in path segments
SIEM Query:
source="traefik" AND (uri="*%2F*" OR uri="*%5C*" OR uri="*%00*" OR uri="*%3B*" OR uri="*%3F*" OR uri="*%23*")