Home > Vulnerability Database > CVE-2025-66490

Mend.io Vulnerability Database

CVE-2025-66490

Good to know:

Date: December 8, 2025

Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, , Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3.

Severity Score

7.2

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66490

Url: https://github.com/traefik/traefik/releases/tag/v2.11.32

Url: https://github.com/traefik/traefik

Url: https://github.com/traefik/traefik/releases/tag/v3.6.4

Url: https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c

Url: https://www.mend.io/vulnerability-database/CVE-2025-66490

Severity Score

7.2

Weakness Type (CWE)

Interpretation Conflict

CWE-436

Top Fix

Upgrade Version

Upgrade to version github.com/traefik/traefik/v3 - v3.6.3;github.com/traefik/traefik/v2 - v2.11.32

Learn More

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66490

Good to know:

Date: December 8, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?