CVE-2025-54386
Published: 02 August 2025
Summary
CVE-2025-54386 is a critical-severity Path Traversal (CWE-22) vulnerability in Traefik Traefik. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by requiring timely patching of Traefik to versions that fix the ZIP archive handling in the WASM plugin installation mechanism.
Requires validation of file paths extracted from ZIP archives during plugin installation to block directory traversal sequences like '../' and prevent arbitrary file writes.
Detects unauthorized file overwrites outside the plugin directory through integrity verification of software and system files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Traefik reverse proxy enables unauthenticated remote arbitrary file write leading to RCE.
NVD Description
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file…
more
paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.
Deeper analysisAI
Traefik, an HTTP reverse proxy and load balancer, contains a path traversal vulnerability (CVE-2025-54386) in its WASM plugin installation mechanism. The flaw affects versions 2.11.27 and prior, 3.0.0 through 3.4.4, and 3.5.0-rc1. By providing a maliciously crafted ZIP archive with file paths incorporating "../" sequences, an attacker can overwrite arbitrary files on the host system beyond the intended plugin directory, as mapped to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-30 (Path Traversal: '../').
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity exploitable remotely without authentication, privileges, or user interaction. Any unauthenticated attacker with the ability to supply a ZIP archive during plugin installation can achieve arbitrary file writes, potentially resulting in remote code execution, privilege escalation, persistence, or denial of service.
Mitigation is available through patched versions: 2.11.28, 3.4.5, and 3.5.0. Relevant fixes are documented in Traefik plugin-service pull requests #71 and #72, Traefik commit 5ef853a0c53068f69a6c229a5815a0dc6e0a8800, pull request #11911, and the v2.11.28 release notes. Security practitioners should upgrade immediately and review plugin installation processes for exposure.
Details
- CWE(s)