CVE-2025-66490

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.32 and 2.11.31 through 3.6.2

Description Traefik is an HTTP reverse proxy and load balancer. Requests using PathPrefix, Path, or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, , Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering security controls for the /admin/ path. This allows attackers to bypass path normalization checks, potentially leading to unauthorized access or request manipulation.

Recommendations Traefik versions prior to 2.11.32 should be updated to version 2.11.32 or later. Traefik versions 2.11.31 through 3.6.2 should be updated to version 3.6.3 or later.