CVE-2025-54386: 
NixOS vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2025-54386) was discovered in Traefik's WASM plugin installation mechanism. The vulnerability affects Traefik versions 2.11.27 and below, 3.0.0 through 3.4.4, and 3.5.0-rc1. The issue was discovered and disclosed on August 1, 2025, and has been fixed in versions 2.11.28, 3.4.5, and 3.5.0 (GitHub Advisory).

The vulnerability resides in the WASM plugin extraction logic, specifically in the unzipFile function within /plugins/client.go. The application constructs file paths during ZIP extraction using filepath.Join(destDir, f.Name) without properly validating or sanitizing f.Name. The vulnerability has been assigned a CVSS v4.0 base score of 7.3 (High), with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L. The issue is classified under CWE-22 (Path Traversal) and CWE-30 (Path Traversal: 'dir..\filename') (NVD, GitHub Advisory).

By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. However, after investigation, it was confirmed that no plugins on the Catalog were affected, and there is no known impact in the wild (GitHub Advisory).

The vulnerability has been fixed in Traefik versions 2.11.28, 3.4.5, and 3.5.0. The fix includes proper validation of file paths extracted from ZIP archives to ensure they do not contain directory traversal elements or attempt to write files outside the intended destination directory (GitHub Commit).