Traefik Path Traversal Vulnerability in WASM Plugin Installation Mechanism Allowing Arbitrary File Overwrite

A path traversal vulnerability has been identified in Traefik versions 2.11.27 and prior, 3.0.0 through 3.4.4, and 3.5.0-rc1. The vulnerability exists in the WASM Traefik plugin installation process, where a ZIP archive can be crafted to include file paths with directory traversal sequences. This allows an attacker to overwrite arbitrary files on the system, outside the designated plugin directory. Such exploitation could lead to remote code execution, privilege escalation, persistence, or a denial-of-service condition.

Impact

Exploitation of this vulnerability could result in arbitrary file overwrites, potentially allowing for remote code execution, privilege escalation, or causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by uploading a malicious ZIP archive to a Traefik server with plugins enabled. The archive must contain file paths that include '../' sequences, which will be processed by Traefik's plugin extraction logic. This can be done by creating a ZIP file with the desired directory traversal paths and then using it as a plugin asset in Traefik.

Remediation

Users can upgrade to Traefik versions 2.11.28, 3.4.5, or 3.5.0 to address this vulnerability.