CVE-2025-32431
Published: 21 April 2025
Summary
CVE-2025-32431 is a high-severity Path Traversal (CWE-22) vulnerability in Traefik Traefik. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12231
Vulnerability details
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured…
more
to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.