{"id":"CVE-2025-32431","summary":"Traefik has a possible vulnerability with the path matchers","details":"Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.","aliases":["GHSA-6p68-w45g-48j7","GO-2025-3634"],"modified":"2026-03-20T12:42:18.119424Z","published":"2025-04-21T15:34:04.637Z","related":["openSUSE-SU-2025:15017-1","openSUSE-SU-2025:15305-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32431.json","cwe_ids":["CWE-22"]},"references":[{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v2.11.24"},{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v3.3.6"},{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32431.json"},{"type":"ADVISORY","url":"https://github.com/traefik/traefik/security/advisories/GHSA-6p68-w45g-48j7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32431"},{"type":"FIX","url":"https://github.com/traefik/traefik/pull/11684"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/traefik/traefik","events":[{"introduced":"0"},{"fixed":"8816cb86a4425dfa90adf01312a6b6e4d73e2792"},{"fixed":"b05ec75f982006c9d59fc535c752d5907ec94826"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.11.24"},{"fixed":"3.3.6"}]}},{"type":"GIT","repo":"https://github.com/traefik/traefik","events":[{"introduced":"405be420c9f600f2c045b22a8d970dcba5499fb9"},{"fixed":"9d0e76baa8e04034311401e4fd9e428903679fc2"}],"database_specific":{"versions":[{"introduced":"3.4.0-rc1"},{"fixed":"3.4.0-rc2"}]}}],"versions":["v1.0","v1.0.0","v1.0.0-beta.211","v1.0.0-beta.212","v1.0.0-beta.220","v1.0.0-beta.224","v1.0.0-beta.247","v1.0.0-beta.254","v1.0.0-beta.277","v1.0.0-beta.280","v1.0.0-beta.287","v1.0.0-beta.289","v1.0.0-beta.291","v1.0.0-beta.300","v1.0.0-beta.324","v1.0.0-beta.339","v1.0.0-beta.341","v1.0.0-beta.352","v1.0.0-beta.355","v1.0.0-beta.366","v1.0.0-beta.374","v1.0.0-beta.392","v1.0.0-beta.395","v1.0.0-beta.404","v1.0.0-beta.408","v1.0.0-beta.416","v1.0.0-beta.421","v1.0.0-beta.427","v1.0.0-beta.433","v1.0.0-beta.436","v1.0.0-beta.440","v1.0.0-beta.442","v1.0.0-beta.453","v1.0.0-beta.470","v1.0.0-beta.475","v1.0.0-beta.481","v1.0.0-beta.484","v1.0.0-beta.505","v1.0.0-beta.508","v1.0.0-beta.513","v1.0.0-beta.524","v1.0.0-beta.545","v1.0.0-beta.548","v1.0.0-beta.555","v1.0.0-beta.573","v1.0.0-beta.576","v1.0.0-beta.582","v1.0.0-beta.601","v1.0.0-beta.610","v1.0.0-beta.614","v1.0.0-beta.621","v1.0.0-beta.644","v1.0.0-beta.652","v1.0.0-beta.666","v1.0.0-beta.673","v1.0.0-beta.676","v1.0.0-beta.682","v1.0.0-beta.692","v1.0.0-beta.695","v1.0.0-beta.704","v1.0.0-beta.712","v1.0.0-beta.721","v1.0.0-beta.723","v1.0.0-beta.732","v1.0.0-beta.744","v1.0.0-beta.754","v1.0.0-beta.756","v1.0.0-beta.767","v1.0.0-beta.771","v1.0.0-beta.784","v1.0.0-beta.794","v1.0.0-beta.804","v1.0.0-beta.809","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.1","v1.0.alpha.0e683cc5355bc507dabac68bbc7559d3f179e185","v1.0.alpha.11781087cadf9068d1d0b43902b6161ee10ea458","v1.0.alpha.157","v1.0.alpha.164","v1.0.alpha.170","v1.0.alpha.171","v1.0.alpha.176","v1.0.alpha.178","v1.0.alpha.182","v1.0.alpha.186","v1.0.alpha.1a5668377cc840a35d233a0eb817ee9bacf0ba3e","v1.0.alpha.200","v1.0.alpha.212","v1.0.alpha.215","v1.0.alpha.216","v1.0.alpha.217","v1.0.alpha.228","v1.0.alpha.247","v1.0.alpha.249","v1.0.alpha.250","v1.0.alpha.251","v1.0.alpha.252","v1.0.alpha.256","v1.0.alpha.257","v1.0.alpha.263","v1.0.alpha.266","v1.0.alpha.267","v1.0.alpha.268","v1.0.alpha.269","v1.0.alpha.270","v1.0.alpha.271","v1.0.alpha.272","v1.0.alpha.273","v1.0.alpha.274","v1.0.alpha.275","v1.0.alpha.285","v1.0.alpha.288","v1.0.alpha.290","v1.0.alpha.291","v1.0.alpha.302","v1.0.alpha.306","v1.0.alpha.311","v1.0.alpha.329","v1.0.alpha.331cd173ce8ad858d767510fbcbc653e2dde657d","v1.0.alpha.333","v1.0.alpha.336","v1.0.alpha.338","v1.0.alpha.341","v1.0.alpha.357","v1.0.alpha.358","v1.0.alpha.361","v1.0.alpha.364","v1.0.alpha.367","v1.0.alpha.374","v1.0.alpha.392","v1.0.alpha.3af21612b65fc578585a98c30090d1e613f791eb","v1.0.alpha.404","v1.0.alpha.412","v1.0.alpha.418","v1.0.alpha.421","v1.0.alpha.425","v1.0.alpha.439","v1.0.alpha.443","v1.0.alpha.450","v1.0.alpha.463","v1.0.alpha.469","v1.0.alpha.471","v1.0.alpha.477","v1.0.alpha.481","v1.0.alpha.4c447985b63f8c90dcbde70b2eaef19d9a8c5ad2","v1.0.alpha.4ded2682d2831ed703282b2f4585e17a62ee258e","v1.0.alpha.506","v1.0.alpha.516","v1.0.alpha.522","v1.0.alpha.60e9282f0adac48cbf283306ceb08ad7a31ac94b","v1.0.alpha.6c3c5578c64125838abbc437a0242e1742d6f47a","v1.0.alpha.71b0e27517841ec7b911bafb109846ee96109f30","v1.0.alpha.7acc2beae0f0235d9408e8ed7a51f0ef3dae3aff","v1.0.alpha.9830086790caf40ce30eb9ed5d317917f8157708","v1.0.alpha.99646544953d5793f18ccb22dae2458be4ba0e05","v1.0.alpha.a00eb81f0301f5e61024dea3b92ba632d6a61a8b","v1.0.alpha.a458018aa2ccb637abacfc696157e00321cf982f","v1.0.alpha.ac56c1310c46f9c18dcad9d7ec680926fae821bb","v1.0.alpha.b42b170ad29a0f042ddee0f5a5098aa9a59a9c8e","v1.0.alpha.b84b95fe97df5c0f234d8693fbff03fa0d6a441b","v1.0.alpha.e0872b61579c8e6b8fc6124c8836660c11840f5d","v1.1.0","v1.1.0-rc1","v1.1.0-rc2","v1.1.0-rc3","v1.1.0-rc4","v1.1.1","v1.3.0","v1.3.0-rc1","v1.3.0-rc2","v1.3.0-rc3","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.4.0","v1.4.0-rc1","v1.4.0-rc2","v1.4.0-rc3","v1.4.0-rc4","v1.4.0-rc5","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.5.0","v1.5.0-rc1","v1.5.0-rc2","v1.5.0-rc3","v1.5.0-rc4","v1.5.0-rc5","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.6.0","v1.6.0-rc1","v1.6.0-rc2","v1.6.0-rc3","v1.6.0-rc4","v1.6.0-rc5","v1.6.0-rc6","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.6.6","v1.7.0","v1.7.0-rc1","v1.7.0-rc2","v1.7.0-rc3","v1.7.0-rc4","v1.7.0-rc5","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v2.0.0","v2.0.0-alpha1","v2.0.0-alpha2","v2.0.0-alpha3","v2.0.0-alpha4","v2.0.0-alpha5","v2.0.0-alpha6","v2.0.0-alpha7","v2.0.0-alpha8","v2.0.0-beta1","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.0-rc4","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.1.0","v2.1.0-rc1","v2.1.0-rc2","v2.1.0-rc3","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.10.0","v2.10.0-rc1","v2.10.0-rc2","v2.10.1","v2.10.2","v2.10.3","v2.10.4","v2.10.5","v2.10.6","v2.10.7","v2.11.0","v2.11.0-rc1","v2.11.0-rc2","v2.11.1","v2.11.10","v2.11.11","v2.11.12","v2.11.13","v2.11.14","v2.11.15","v2.11.16","v2.11.17","v2.11.18","v2.11.19","v2.11.2","v2.11.20","v2.11.21","v2.11.22","v2.11.23","v2.11.24","v2.11.3","v2.11.4","v2.11.5","v2.11.6","v2.11.7","v2.11.8","v2.11.9","v2.2.0","v2.2.0-rc1","v2.2.0-rc2","v2.2.0-rc3","v2.2.0-rc4","v2.2.1","v2.2.10","v2.2.11","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.3.0","v2.3.0-rc1","v2.3.0-rc2","v2.3.0-rc3","v2.3.0-rc4","v2.3.0-rc5","v2.3.0-rc6","v2.3.0-rc7","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.4.0","v2.4.0-rc1","v2.4.0-rc2","v2.4.1","v2.4.10","v2.4.11","v2.4.12","v2.4.13","v2.4.14","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.4.9","v2.5.0","v2.5.0-rc1","v2.5.0-rc2","v2.5.0-rc3","v2.5.0-rc4","v2.5.0-rc5","v2.5.0-rc6","v2.5.1","v2.5.2","v2.5.3","v2.5.4","v2.5.5","v2.5.6","v2.5.7","v2.6.0","v2.6.0-rc1","v2.6.0-rc2","v2.6.0-rc3","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.6.7","v2.7.0","v2.7.0-rc1","v2.7.0-rc2","v2.7.1","v2.7.2","v2.7.3","v2.8.0","v2.8.0-rc1","v2.8.0-rc2","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v2.8.6","v2.8.7","v2.8.8","v2.9.0-rc1","v2.9.0-rc2","v2.9.0-rc3","v2.9.0-rc4","v2.9.0-rc5","v2.9.1","v2.9.10","v2.9.2","v2.9.3","v2.9.4","v2.9.5","v2.9.6","v2.9.7","v2.9.8","v2.9.9","v3.3.6","v3.4.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-32431.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"}]}