CVE-2025-54386

Sažetak

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

Reference

https://github.com/traefik/plugin-service/pull/71
https://github.com/traefik/plugin-service/pull/72
https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800
https://github.com/traefik/traefik/pull/11911
https://github.com/traefik/traefik/releases/tag/v2.11.28
https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

02-08-2025 - 00:15

Objavljeno

02-08-2025 - 00:15