Traefik Kubernetes Gateway API REST Provider Exposure Vulnerability

A vulnerability exists in Traefik's Kubernetes Gateway API provider, allowing a tenant with HTTPRoute creation permissions to expose the REST provider handler. This bypasses the providers.rest.insecure=false setting. The vulnerability is present in Traefik versions prior to 2.11.46, 3.6.17, and 3.7.1. The issue arises because the Gateway provider accepts any TraefikService backend reference ending with @internal, enabling routing to rest@internal alongside the intended api@internal. In shared Gateway deployments with the REST provider enabled, this vulnerability allows a low-privileged actor to access live dynamic configuration write capabilities, facilitating unauthorized reconfiguration of routers and services.

Impact

Exploitation of this vulnerability grants unauthorized write access to Traefik's dynamic configuration, allowing for unsanctioned changes to routers and services.

Remediation

Users can upgrade to Traefik versions 2.11.46, 3.6.17, or 3.7.1 to address this vulnerability.