CVE-2025-47952: Traefik allows path traversal using url encoding

2.9 CVSS

Description

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.

Classification

CVE ID: CVE-2025-47952

CVSS Base Severity: LOW

CVSS Base Score: 2.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected Products

Vendor: traefik

Product: traefik

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.97% (scored less or equal to compared to others)

EPSS Date: 2025-05-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-47952
https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5
https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00
https://github.com/traefik/traefik/releases/tag/v2.11.25
https://github.com/traefik/traefik/releases/tag/v3.4.1

Timeline

2025-05-30 04:40:14 UTC
CVE

Traefik allows path traversal using url encoding