Plateforme
go
Composant
github.com/traefik/traefik
Corrigé dans
2.11.28
3.0.1
3.5.1
2.11.28
CVE-2025-54386 describes a Remote Code Execution (RCE) vulnerability within the Traefik Client Plugin, a component of the Traefik reverse proxy. This flaw allows attackers to overwrite arbitrary files on the system, potentially leading to complete system compromise. The vulnerability affects versions of Traefik prior to 2.11.28, and a patch has been released to address the issue.
The core of this vulnerability lies in a path traversal flaw within the Traefik Client Plugin. An attacker can craft malicious requests that manipulate file paths, allowing them to write data to locations outside of the intended plugin directory. This arbitrary file overwrite capability can be leveraged to overwrite critical system files, inject malicious code, or gain persistent access to the system. Successful exploitation could lead to complete system takeover, data exfiltration, and denial of service. The impact is particularly severe given Traefik's role as a reverse proxy, often sitting in front of critical applications and services.
CVE-2025-54386 was publicly disclosed on August 11, 2025. The vulnerability's impact and ease of exploitation suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (PoC) code is anticipated given the nature of the vulnerability. Monitor CISA and vendor advisories for updates on active exploitation campaigns.
Organizations utilizing Traefik as a reverse proxy, particularly those with the Client Plugin feature enabled, are at risk. This includes environments with custom plugins or integrations, as well as those relying on Traefik for securing critical web applications. Shared hosting environments where multiple users share the same Traefik instance are also at increased risk.
• go / server:
ps aux | grep traefik• go / server:
journalctl -u traefik -f | grep "path traversal"• generic web:
curl -I <traefik_endpoint>/clientplugin/malicious_path• generic web:
grep -r "path traversal" /etc/traefik/traefik.ymldisclosure
Statut de l'Exploit
EPSS
0.91% (percentile 76%)
CISA SSVC
The primary mitigation for CVE-2025-54386 is to upgrade Traefik to version 2.11.28 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider temporarily disabling the Client Plugin feature to reduce the attack surface. While not a complete fix, implementing strict input validation and sanitization on any user-provided data used in file paths within the plugin can help mitigate the risk. Monitor Traefik logs for unusual file access patterns or attempts to access restricted directories. After upgrading, confirm the fix by attempting to trigger the path traversal vulnerability with a known malicious payload and verifying that the attempt is blocked.
Actualice Traefik a la versión 2.11.28, 3.4.5 o 3.5.0 (o superior) para corregir la vulnerabilidad de path traversal. Esto evitará la sobrescritura de archivos arbitrarios y la posible ejecución remota de código. Consulte el anuncio de seguridad de Traefik para obtener más detalles.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-54386 is a Remote Code Execution vulnerability in the Traefik Client Plugin, allowing attackers to overwrite files and potentially gain control of the system. It affects versions before 2.11.28.
You are affected if you are using Traefik versions prior to 2.11.28 and have the Client Plugin feature enabled. Check your Traefik version immediately.
Upgrade Traefik to version 2.11.28 or later. If immediate upgrade is not possible, disable the Client Plugin feature as a temporary workaround.
While active exploitation has not been confirmed, the vulnerability's severity and potential impact suggest a medium probability of exploitation. Monitor security advisories for updates.
Refer to the official Traefik security advisory on their website or GitHub repository for detailed information and updates regarding CVE-2025-54386.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.