CVE-2025-54386
Published: 02 August 2025
Summary
CVE-2025-54386 is a high-severity Path Traversal (CWE-22) vulnerability in Traefik Traefik. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Traefik, an HTTP reverse proxy and load balancer, contains a path traversal vulnerability in its WASM plugin installation mechanism. The flaw affects versions 2.11.27 and earlier, 3.0.0 through 3.4.4, and 3.5.0-rc1, and is tracked under CWE-22 and CWE-30. An attacker-supplied ZIP archive containing file paths with ../ sequences can cause files to be written outside the intended plugin directory during installation.
The vulnerability can be exploited by an attacker who is able to supply a malicious plugin archive to the installation process. Successful exploitation may result in arbitrary file overwrites that enable remote code execution, privilege escalation, persistence mechanisms, or denial of service on the affected system. The CVSS 4.0 score of 7.3 reflects high impact under conditions that include network access and high privileges.
The issue is resolved in Traefik releases 2.11.28, 3.4.5, and 3.5.0, as documented in the corresponding GitHub commits, pull requests, and release notes. The EPSS score remains flat at 0.0336 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23415
Vulnerability details
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file…
more
paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Traefik reverse proxy enables unauthenticated remote arbitrary file write leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the path traversal vulnerability by requiring timely patching of Traefik to versions that fix the ZIP archive handling in the WASM plugin installation mechanism.
Requires validation of file paths extracted from ZIP archives during plugin installation to block directory traversal sequences like '../' and prevent arbitrary file writes.
Detects unauthorized file overwrites outside the plugin directory through integrity verification of software and system files.