Traefik Authentication Bypass Vulnerability in StripPrefixRegex Middleware

A high-severity authentication bypass vulnerability exists in Traefik's StripPrefixRegex middleware, specifically in versions through 2.11.42, 3.6.13, and 3.7.0-rc.1. The vulnerability arises when the middleware is used with ForwardAuth, BasicAuth, or DigestAuth. The issue occurs because the middleware matches regex against the decoded URL path but slices the percent-encoded raw path using the resulting byte length. This discrepancy can create a dot-segment path (e.g., /./admin/secret) when dots are present in the URL prefix. ForwardAuth then receives this dot-segment path in the X-Forwarded-Uri header, which bypasses the protected path patterns, allowing the request to be processed by the backend. The backend normalizes the dot-segment to the actual path according to RFC 3986 and serves the protected content. This vulnerability can be exploited by an unauthenticated attacker against any backend that normalizes dot-segments.

Impact

Exploitation of this vulnerability allows for authentication bypass, granting unauthorized access to protected resources or functionalities.

Remediation

Users can upgrade to Traefik versions 2.11.43, 3.6.14, or 3.7.0-rc.2 to address this vulnerability.