CVE-2025-47952: 
vulnerability analysis and mitigation

CVE-2025-47952 is a path traversal vulnerability discovered in Traefik, an HTTP reverse proxy and load balancer, affecting versions 2.11.x prior to v2.11.25 and versions 3.4.x prior to v3.4.1. The vulnerability was disclosed on May 28, 2025, and allows attackers to bypass routing rules using URL-encoded path traversal sequences (GitHub Advisory, Wiz).

The vulnerability exists in Traefik's request handling when using PathPrefix, Path, or PathRegex matchers. When Traefik is configured to route requests using path-based matchers, an attacker can use URL-encoded strings (like '%2e%2e' for '..') in the path to bypass middleware chains and access unauthorized endpoints. For example, a request to 'http://mydomain.example.com/service/sub-path/%2e%2e/other-path' could reach a backend service while bypassing intended middleware security controls (GitHub Advisory). The vulnerability has been assigned a CVSS v4.0 score of 2.9 (LOW) with vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability affects all Traefik implementations with path prefix routes that expose only part of the downstream API. It allows attackers to bypass security middleware and access endpoints that are not intended to be publicly available, potentially leading to unauthorized access to protected resources (GitHub Advisory, Wiz).

The vulnerability has been patched in Traefik versions v2.11.25 and v3.4.1. Users are advised to upgrade to these versions or later. The fix includes normalizing request paths by decoding unreserved characters and implementing proper path traversal prevention mechanisms (GitHub Advisory, Wiz).