CVE-2025-66490
BaseFortify
Publication date: 2025-12-09
Last updated on: 2026-03-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traefik | traefik | to 2.11.32 (exc) |
| traefik | traefik | From 3.0.0 (inc) to 3.6.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Traefik affects versions prior to 2.11.32 and 2.11.31 through 3.6.2, where requests using PathPrefix, Path, or PathRegex matchers can bypass path normalization. Specifically, when Traefik uses path-based routing, requests containing URL-encoded restricted characters such as /, \, Null, ;, ?, and # can bypass the middleware chain and reach unintended backend services. For example, a request to a URL like http://mydomain.example.com/admin%2F could reach a backend service without triggering the intended security middleware for the /admin/ path, effectively bypassing security controls. This issue is fixed in versions 2.11.32 and 3.6.3.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass security middleware and access backend services that should be protected. By exploiting the path normalization bypass, unauthorized requests can reach unintended backends, potentially exposing sensitive data or functionality that should be restricted. This can lead to unauthorized access, data leakage, or other security breaches depending on the backend services involved.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Traefik to version 2.11.32 or later, or 3.6.3 or later, as these versions contain the fix for the path normalization bypass vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass security middleware and access restricted backend services, potentially leading to unauthorized access to sensitive data or protected internal functions. Such unauthorized access could result in violations of compliance requirements under standards like GDPR or HIPAA, which mandate strict access controls and protection of sensitive information. Therefore, if exploited, this vulnerability could negatively impact an organization's ability to comply with these regulations by exposing protected data or systems to unauthorized parties. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests that contain URL-encoded restricted characters such as %2F (encoded slash), %00 (null byte), %3B (semicolon), %3F (question mark), or %23 (hash) in the path, especially when these requests bypass expected middleware protections. You can use network traffic inspection tools or web server logs to identify such suspicious requests. For example, using command-line tools like curl or wget, you can test your Traefik instance by sending requests with encoded characters in the path to see if middleware is bypassed. Example curl command: curl -v http://yourdomain.example.com/admin%2F - to check if the request bypasses middleware. Additionally, inspecting Traefik access logs or using tools like tcpdump or Wireshark to filter HTTP requests containing encoded characters in the URL path can help detect exploitation attempts. However, no specific detection commands are provided in the resources. [3]