Homepage

Directory Traversal Affecting traefik-3 package, versions <3.3.6-r0

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Directory Traversal vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-MINIMOSLATEST-TRAEFIK3-13314520
  • published6 Oct 2025
  • disclosed21 Apr 2025
Report a new vulnerability Found a mistake?

Introduced: 21 Apr 2025

CVE-2025-32431  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Minimos:latest traefik-3 to version 3.3.6-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream traefik-3 package and not the traefik-3 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a PathRegexp rule to the matcher to prevent matching a route with a /../ in the path.