GHSA-Q6GG-9F92-R9WG

Vulnerability from github – Published: 2025-08-01 18:08 – Updated: 2025-11-27 09:02
VLAI?
Summary
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
Details

Summary

A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. ✅ After investigation, it is confirmed that no plugins on the Catalog were affected. There is no known impact.

Details

The vulnerability resides in the WASM plugin extraction logic, specifically in the unzipFile function (/plugins/client.go). The application constructs file paths during ZIP extraction using filepath.Join(destDir, f.Name) without validating or sanitizing f.Name. If the ZIP archive contains entries with ../, the resulting path can escape the intended directory, allowing writes to arbitrary locations on the host filesystem.

Attack Requirements

There are several requirements needed to make this attack possible: - The Traefik server should be deployed with plugins enabled with a WASM plugin (yaegi plugins are not impacted). - The attacker should have write access to a remote plugin asset loaded by the Traefik server - The attacker should craft a malicious version of this plugin

Warning

As clearly stated in the documentation, plugins are experimental in Traefik, and unsafe plugins could damage your infrastructure:

Experimental Features Plugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.

Impact

This vulnerability did not affect any plugin from the catalog. There is no known impact. Additionally, the catalog will also prevent any compromised plugin to be available across all Traefik versions. This vulnerability can allow an attacker to perform arbitrary file write outside the intended plugin extraction directory by crafting a malicious ZIP archive that includes ../ (directory traversal) in file paths.

Severity ?
7.3 (High)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.27"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.5.0-rc2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0-rc1"
            },
            {
              "fixed": "3.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-30"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-01T18:08:15Z",
    "nvd_published_at": "2025-08-02T00:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA path traversal vulnerability was discovered in WASM Traefik\u2019s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.\n **\u2705 After investigation, it is confirmed that no plugins on the [Catalog](https://plugins.traefik.io/plugins) were affected. There is no known impact.**\n\n### Details\nThe vulnerability resides in the WASM plugin extraction logic, specifically in the `unzipFile` function (`/plugins/client.go`). The application constructs file paths during ZIP extraction using `filepath.Join(destDir, f.Name)` without validating or sanitizing `f.Name`. If the ZIP archive contains entries with `../`, the resulting path can escape the intended directory, allowing writes to arbitrary locations on the host filesystem.\n\n### Attack Requirements\nThere are several requirements needed to make this attack possible:\n- The Traefik server should be deployed with [plugins enabled](https://doc.traefik.io/traefik/plugins/) with a WASM plugin (yaegi plugins are not impacted).\n- The attacker should have write access to a remote plugin asset loaded by the Traefik server\n- The attacker should craft a malicious version of this plugin\n\n### Warning\nAs clearly stated in the [documentation](https://doc.traefik.io/traefik/plugins/), plugins are experimental in Traefik, and unsafe plugins could damage your infrastructure:\n\n\u003e **Experimental Features**\nPlugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.\n\n### Impact\n**This vulnerability did not affect any plugin from the catalog. There is no known impact. \nAdditionally, the catalog will also prevent any compromised plugin to be available across all Traefik versions.**\nThis vulnerability can allow an attacker to perform arbitrary file write outside the intended plugin extraction directory by crafting a malicious ZIP archive that includes `../` (directory traversal) in file paths.",
  "id": "GHSA-q6gg-9f92-r9wg",
  "modified": "2025-11-27T09:02:51Z",
  "published": "2025-08-01T18:08:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/plugin-service/pull/71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/plugin-service/pull/72"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/pull/11911"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik Client Plugin\u0027s Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.