Description
Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.
References (6)
Core 6
Core References
Vendor Advisory x_refsource_confirm
https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg
Patch x_refsource_misc
https://github.com/traefik/plugin-service/pull/71
Patch x_refsource_misc
https://github.com/traefik/plugin-service/pull/72
Patch x_refsource_misc
https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800
Release Notes x_refsource_misc
https://github.com/traefik/traefik/releases/tag/v2.11.28
Patch x_refsource_misc
https://github.com/traefik/traefik/pull/11911
Scores
CVSS v3
9.8
EPSS
0.0128
EPSS Percentile
79.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
CWE-30
Status
published
Products (4)
traefik/traefik
3.5.0 (3 CPE variants)
traefik/traefik
< 2.11.7
traefik/traefik
0 - 2.11.28Go
traefik/traefik
0 - 3.4.5Go
Published
Aug 02, 2025
Tracked Since
Feb 18, 2026