Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-54386

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

Published

2025-08-02T00:15:25.500

Last Modified

2025-11-26T14:02:03.067

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-22
CWE-30

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	traefik	traefik	< 2.11.7	Yes
Application	traefik	traefik	< 3.4.4	Yes
Application	traefik	traefik	3.5.0	Yes
Application	traefik	traefik	3.5.0	Yes
Application	traefik	traefik	3.5.0	Yes

References

https://github.com/traefik/plugin-service/pull/71 Patch ([email protected])
https://github.com/traefik/plugin-service/pull/72 Patch ([email protected])
https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800 Patch ([email protected])
https://github.com/traefik/traefik/pull/11911 Patch ([email protected])
https://github.com/traefik/traefik/releases/tag/v2.11.28 Release Notes ([email protected])
https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg Vendor Advisory ([email protected])