Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN848
_____________________________________________________________________

DATE                : 12/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Traefik versions prior
                           to 2.11.32, 3.6.3.

=====================================================================
https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c
https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj
_____________________________________________________________________


Path Normalization Bypass in Traefik Router + Middleware Rules
High
nmengin published GHSA-gm3x-23wp-hc2c Dec 8, 2025

Package
Traefik (Go)

Affected versions
<= v2.11.31, <= v3.6.2

Patched versions
v2.11.32, v3.6.3


Description

Impact

There is a potential vulnerability in Traefik managing the requests
using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using
a matcher based on the path; if the request path contains an encoded
restricted character from the following
set ('/', '', 'Null', ';', '?', '#'), it’s possible to target a
backend, exposed using another router, by-passing the middlewares
chain.

Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
spec:
  routes:
    - match: PathPrefix(‘/admin/’)
      kind: Rule
      services:
        - name: service-a
          port: 8080
      middlewares:
        - name: my-security-middleware
    - match: PathPrefix(‘/’)
      kind: Rule
      services:
        - name: service-a
          port: 8080

In such a case, the request http://mydomain.example.com/admin%2F
will reach the backend service-a without operating the middleware
my-security-middleware and passing the security put in place for
the /admin/ path.


Patches

    https://github.com/traefik/traefik/releases/tag/v2.11.32
    https://github.com/traefik/traefik/releases/tag/v3.6.4

For more information

If you have any questions or comments about this advisory,
please open an issue.


Original Description


Original Description
### Summary A vulnerability exists in Traefik’s path matching
logic that allows attackers to bypass access-control middleware
(e.g., blocking rules) by using URL-encoded paths. I found this
vulnerability while playing PwnSec CTF 2025 with my team @0xL4ugh
Details

Traefik evaluates router rules before decoding or normalizing
the request path, but forwards the request after decoding to
the backend service. As a result, routes meant to block access
to sensitive endpoints (such as internal, beta, or admin
endpoints) can be trivially bypassed.


PoC

Traefik configuration used in this issue :

  entryPoints = ["web"]
  rule = "PathPrefix(`/report_note`)"
  priority = 10
  middlewares = ["block-access"]
  service = "flask-service"

[http.middlewares.block-access.replacePathRegex]
  regex = ".*"
  replacement = "/blocked"

The intention is to block all access to /report_note.

However, the following request bypasses the block:

POST /%2freport_note HTTP/1.1
Host: localhost:62814


Impact

Access Control Bypass:
Any endpoint intended to be blocked (e.g.,
admin/debug/beta APIs) can be accessed by URL-encoding
slashes or other characters.

This could lead to:

    Unauthorized access to restricted endpoints
    Execution of protected internal functionality
    Potential privilege escalation
    Bypass of security policies enforced via Traefik
routing rules



Severity
High
7.8/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

CVE ID
CVE-2025-66490

Weaknesses
No CWEs

Credits

    @ShadoooooW ShadoooooW Reporter

_____________________________________________________________________


Inverted TLS Verification Logic in Kubernetes NGINX Provider
Moderate
nmengin published GHSA-7vww-mvcr-x6vj Dec 8, 2025

Package
Traefik (Go)

Affected versions
>= v3.5.0, <= v3.6.2

Patched versions
v3.6.3


Description

Impact

There is a potential vulnerability in Traefik NGINX provider managing
the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation.

The provider inverts the semantics of the
nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the
annotation to "on" (intending to enable backend TLS certificate
verification) actually disables verification, allowing man-in-the-middle
attacks against HTTPS backends when operators believe they are
protected.


Patches

    https://github.com/traefik/traefik/releases/tag/v3.6.3


For more information

If you have any questions or comments about this advisory, please
open an issue.


Original Description	


Severity
Moderate
5.9/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2025-66491

Weaknesses
Weakness CWE-295


Credits

    @pavelkohout396 pavelkohout396 Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================