Path Traversal Vulnerability in Traefik HTTP Reverse Proxy
CVE-2025-54386

7.3HIGH

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
2 August 2025

What is CVE-2025-54386?

A path traversal vulnerability exists in Traefik's plugin installation mechanism, enabling attackers to craft malicious ZIP files that can overwrite arbitrary system files. This vulnerability impacts versions 2.11.27 and earlier as well as versions 3.0.0 through 3.4.4 and 3.5.0-rc1. When exploited, it poses risks such as remote code execution, privilege escalation, and denial of service. Users are urged to upgrade to patched versions 2.11.28, 3.4.5, or 3.5.0 to mitigate these risks.

Affected Version(s)

traefik <= 2.11.27, < 2.11.28 < 2.11.27, 2.11.28

traefik <= 3.0.0, < 3.4.5 < 3.0.0, 3.4.5

traefik >= 3.5.0-rc1, < 3.5.0-rc2 < 3.5.0-rc1, 3.5.0-rc2

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/plugin-service/pull/71
x_refsource_MISC
https://github.com/traefik/plugin-service/pull/72
x_refsource_MISC

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

.