{"id":"CVE-2025-47952","summary":"Traefik allows path traversal using url encoding","details":"Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.","aliases":["GHSA-vrch-868g-9jx5","GO-2025-3719"],"modified":"2026-04-10T05:27:57.678716Z","published":"2025-05-30T03:37:12.685Z","related":["openSUSE-SU-2025:15188-1","openSUSE-SU-2025:15304-1","openSUSE-SU-2025:15305-1"],"database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47952.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v2.11.25"},{"type":"WEB","url":"https://github.com/traefik/traefik/releases/tag/v3.4.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47952.json"},{"type":"ADVISORY","url":"https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47952"},{"type":"FIX","url":"https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/traefik/traefik","events":[{"introduced":"d99d2f95e66a28ee8180634dc80fdf13ba68c62a"},{"fixed":"5f35c888051a2d33998a5cac3bd945b11b555d93"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47952.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}]}