Traefik Path Matcher Vulnerability Bypasses Middleware Chain

A vulnerability exists in Traefik versions through 2.11.24 and through 3.4.0, allowing requests with URL-encoded strings to bypass the middleware chain. This issue arises when Traefik uses PathPrefix, Path, or PathRegex matchers to route requests to backends. The vulnerability can be exploited by sending a request that includes a URL-encoded traversal sequence, which can manipulate the request path and evade applied middlewares, potentially leading to unauthorized access or actions on the backend service.

Impact

Exploitation of this vulnerability allows for path traversal by bypassing middleware chains, which could lead to unauthorized access or actions on targeted backend services.

Reproduction

To reproduce this vulnerability, create an IngressRoute that uses PathPrefix matchers and applies middlewares to the routes. Then, send a request to the service that includes a URL-encoded traversal sequence in the path. The request will reach the backend service without applying the specified middleware, effectively bypassing it.

Remediation

Users can upgrade to Traefik versions 2.11.25 or 3.4.1, both of which include the necessary patch. Instructions for downloading these versions are available on the Traefik GitHub Releases page.