CVE-2025-47952

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.25 Traefik versions prior to 3.4.1

Description There is a potential issue in Traefik when managing requests using a PathPrefix, Path or PathRegex matcher. If the URL contains a URL encoded string in its path, it's possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue allows for path traversal with "/../" using URL encodings ("/%2e%2e") and can be used to circumvent routing rules. The issue impacts all Traefik implementations with path prefix routes that expose only part of the downstream API.

Recommendations For Traefik versions prior to 2.11.25, update to version 2.11.25 or later to resolve the issue. For Traefik versions prior to 3.4.1, update to version 3.4.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of PathPrefix, Path or PathRegex matchers until a patch is available. Restrict access to sensitive backends to minimize the risk of exploitation. Avoid using URL encoded strings in paths until the issue is resolved.