x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2025-32431 #3634

GoVulnBot · 2025-04-21T17:01:27Z

Advisory CVE-2025-32431 references a vulnerability in the following Go modules:

Module
github.com/traefik/traefik

Description:
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a PathRegexp rule to...

References:

Cross references:

github.com/traefik/traefik appears in 20 other report(s):
- data/excluded/GO-2023-2117.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7v4p-328v-8v5g #2117) DEPENDENT_VULNERABILITY
- data/reports/GO-2022-0325.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2022-23632 #325)
- data/reports/GO-2022-0808.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7h6j-2268-fhcm #808)
- data/reports/GO-2022-0923.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2021-32813, GHSA-m697-4v8f-55qg #923)
- data/reports/GO-2022-1152.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-468w-8x39-gj5v #1152)
- data/reports/GO-2022-1154.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-h2ph-vhm7-g4hp #1154)
- data/reports/GO-2023-1919.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-r3fq-cmmw-cpmm #1919)
- data/reports/GO-2023-1950.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-2cjc-rgmp-x649 #1950)
- data/reports/GO-2023-2376.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47106 #2376)
- data/reports/GO-2023-2377.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47633 #2377)
- data/reports/GO-2023-2381.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-8g85-whqh-cr2f #2381)
- data/reports/GO-2024-2722.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-4vwx-54mw-vqfw #2722)
- data/reports/GO-2024-2726.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-7f4j-64p6-5h5v #2726)
- data/reports/GO-2024-2880.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-f7cq-5v43-8pwp #2880)
- data/reports/GO-2024-2917.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7jmw-8259-q9jx #2917)
- data/reports/GO-2024-2941.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-rvj4-q8q5-8grf #2941)
- data/reports/GO-2024-2973.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-39321 #2973)
- data/reports/GO-2024-3135.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-62c8-mh53-4cqv #3135)
- data/reports/GO-2024-3299.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-52003 #3299)
- data/reports/GO-2024-3342.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-hxr6-2p24-hf98 #3342)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/traefik/traefik
      vulnerable_at: 1.7.34
summary: CVE-2025-32431 in github.com/traefik/traefik
cves:
    - CVE-2025-32431
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-32431
    - fix: https://github.com/traefik/traefik/pull/11684
    - web: https://github.com/traefik/traefik/releases/tag/v2.11.24
    - web: https://github.com/traefik/traefik/releases/tag/v3.3.6
    - web: https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2
    - web: https://github.com/traefik/traefik/security/advisories/GHSA-6p68-w45g-48j7
source:
    id: CVE-2025-32431
    created: 2025-04-21T17:01:27.032861546Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-04-22T16:56:42Z

Change https://go.dev/cl/667315 mentions this issue: data/reports: add 7 reports

GoVulnBot added cve-year-2025 NeedsTriage labels Apr 21, 2025

thatnealpatel added triaged and removed NeedsTriage labels Apr 22, 2025

gopherbot closed this as completed in 5d8ad7b Apr 22, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2025-32431 #3634

x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2025-32431 #3634

GoVulnBot commented Apr 21, 2025

gopherbot commented Apr 22, 2025

x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2025-32431 #3634

x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2025-32431 #3634

Comments

GoVulnBot commented Apr 21, 2025

gopherbot commented Apr 22, 2025