Platform
go
Component
github.com/traefik/traefik
Fixed in
2.11.25
3.3.7
3.4.1
1.7.35
CVE-2025-32431 describes a vulnerability within the path matching functionality of Traefik, a popular reverse proxy and load balancer. This issue could potentially lead to unauthorized access or manipulation of services. The vulnerability impacts versions of Traefik prior to 2.11.24, and a patch has been released to address it.
The vulnerability lies in how Traefik handles path matching rules. An attacker could potentially craft malicious requests that bypass intended access controls, gaining access to protected resources or functionalities. The exact impact depends on the specific configuration of Traefik and the services it proxies. While the specific attack vector isn't detailed, the potential for unauthorized access warrants immediate attention. This could lead to data breaches, service disruption, or even complete compromise of the underlying infrastructure.
CVE-2025-32431 was publicly disclosed on April 22, 2025. The vulnerability's impact and the availability of a patch suggest a medium probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits. Monitor CISA and Traefik's security advisories for updates on exploitation activity.
Exploit Status
EPSS
0.44% (63% percentile)
CISA SSVC
The primary mitigation for CVE-2025-32431 is to upgrade Traefik to version 2.11.24 or later. This version includes a fix that addresses the path matching vulnerability. If an immediate upgrade is not feasible, consider reviewing and tightening your Traefik configuration, particularly the path matching rules. Ensure that rules are as specific as possible to minimize the attack surface. While a WAF might offer some protection, it's not a substitute for patching. Monitor Traefik logs for unusual patterns or requests that might indicate exploitation attempts.
Update Traefik to version 2.11.24, 3.3.6, or 3.4.0-rc2 or later. Alternatively, add a `PathRegexp` rule to the matcher to prevent a route from matching with `/../` in the path.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32431 is a HIGH severity vulnerability in Traefik versions prior to 2.11.24, affecting path matching functionality and potentially allowing unauthorized access.
You are affected if you are running Traefik versions prior to 2.11.24. Check your version and upgrade immediately if vulnerable.
Upgrade Traefik to version 2.11.24 or later to address the vulnerability. Review and tighten your Traefik configuration as an additional precaution.
As of now, there are no publicly known active exploitation campaigns, but the vulnerability's impact warrants vigilance.
Refer to the official Traefik security advisories on their website for the latest information and updates regarding CVE-2025-32431.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.