CVE-2025-54386
August 01, 2025
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.
Affected Packages
https://github.com/traefik/traefik.git (GITHUB):
Affected version(s) >=v1.0.alpha.157 <v2.11.28Fix Suggestion:
Update to version v2.11.28https://github.com/traefik/traefik.git (GITHUB):
Affected version(s) >=v3.5.0-rc1 <v3.5.0Fix Suggestion:
Update to version v3.5.0https://github.com/traefik/traefik.git (GITHUB):
Affected version(s) >=v3.0.0-beta1 <v3.4.5Fix Suggestion:
Update to version v3.4.5github.com/traefik/traefik/v3 (GO):
Affected version(s) >=v3.5.0-rc1 <v3.5.0Fix Suggestion:
Update to version v3.5.0github.com/traefik/traefik/v2 (GO):
Affected version(s) >=v2.0.0-rc1 <v2.11.28Fix Suggestion:
Update to version v2.11.28github.com/traefik/traefik/v3 (GO):
Affected version(s) >=v3.0.0-beta2.0.20230203142405-044dc6a221a1 <v3.4.5Fix Suggestion:
Update to version v3.4.5Related Resources (8)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
EPSS
Base Score:
0.66
