Cyber Resilience

CVE-2025-54386

High

Published: 02 August 2025

Published
02 August 2025
Modified
26 November 2025
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0336 87.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54386 is a high-severity Path Traversal (CWE-22) vulnerability in Traefik Traefik. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Traefik, an HTTP reverse proxy and load balancer, contains a path traversal vulnerability in its WASM plugin installation mechanism. The flaw affects versions 2.11.27 and earlier, 3.0.0 through 3.4.4, and 3.5.0-rc1, and is tracked under CWE-22 and CWE-30. An attacker-supplied ZIP archive containing file paths with ../ sequences can cause files to be written outside the intended plugin directory during installation.

The vulnerability can be exploited by an attacker who is able to supply a malicious plugin archive to the installation process. Successful exploitation may result in arbitrary file overwrites that enable remote code execution, privilege escalation, persistence mechanisms, or denial of service on the affected system. The CVSS 4.0 score of 7.3 reflects high impact under conditions that include network access and high privileges.

The issue is resolved in Traefik releases 2.11.28, 3.4.5, and 3.5.0, as documented in the corresponding GitHub commits, pull requests, and release notes. The EPSS score remains flat at 0.0336 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file…

more

paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in public-facing Traefik reverse proxy enables unauthenticated remote arbitrary file write leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35051Same product: Traefik Traefik
CVE-2026-32695Same product: Traefik Traefik
CVE-2026-40912Same product: Traefik Traefik
CVE-2026-39858Same product: Traefik Traefik
CVE-2026-29054Same product: Traefik Traefik
CVE-2026-33433Same product: Traefik Traefik
CVE-2026-22045Same product: Traefik Traefik
CVE-2026-26999Same product: Traefik Traefik
CVE-2026-25949Same product: Traefik Traefik
CVE-2025-64075Shared CWE-22

Affected Assets

traefik
traefik
3.5.0 · ≤ 2.11.7 · 3.0.0 — 3.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring timely patching of Traefik to versions that fix the ZIP archive handling in the WASM plugin installation mechanism.

prevent

Requires validation of file paths extracted from ZIP archives during plugin installation to block directory traversal sequences like '../' and prevent arbitrary file writes.

detect

Detects unauthorized file overwrites outside the plugin directory through integrity verification of software and system files.

References