Path Normalization Bypass in Traefik Reverse Proxy and Load Balancer
CVE-2025-66490

6.9MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
9 December 2025

What is CVE-2025-66490?

The vulnerability in Traefik's HTTP reverse proxy and load balancer allows requests with URL-encoded restricted characters to bypass path normalization. Specifically, requests using PathPrefix, Path, or PathRegex matchers can inadvertently reach unintended backend services without passing through the necessary security controls. This presents a serious risk, particularly for sensitive endpoints such as admin pages, where security middleware may not be activated. It is crucial for users of Traefik to upgrade to versions 2.11.32 or 3.6.3 to mitigate this risk.

Affected Version(s)

traefik github.com/traefik/traefik/v3 < 3.6.3 < github.com/traefik/traefik/v3 3.6.3

traefik github.com/traefik/traefik/v2 < 2.11.32 < github.com/traefik/traefik/v2 2.11.32

traefik github.com/traefik/traefik <= 1.7.34 <= github.com/traefik/traefik 1.7.34

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/releases/tag/v2.11.32
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v3.6.4
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.