CVE-2025-32431

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.24 Traefik versions prior to 3.3.6 Traefik versions prior to 3.4.0-rc2

Description The issue concerns Traefik, an HTTP reverse proxy and load balancer, where a potential vulnerability exists in managing requests using a PathPrefix, Path, or PathRegex matcher. When Traefik is configured to route requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it is possible to target a backend exposed using another router, bypassing the middlewares chain.

Recommendations For versions prior to 2.11.24, update to version 2.11.24 or later. For versions prior to 3.3.6, update to version 3.3.6 or later. For versions prior to 3.4.0-rc2, update to version 3.4.0-rc2 or later. As a temporary workaround, consider adding a PathRegexp rule to the matcher to prevent matching a route with a /../ in the path.