Homepage

Directory Traversal Affecting traefik-3 package, versions <3.4.5-r0

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.89% (75th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Directory Traversal vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-MINIMOSLATEST-TRAEFIK3-13326668
  • published6 Oct 2025
  • disclosed2 Aug 2025
Report a new vulnerability Found a mistake?

Introduced: 2 Aug 2025

CVE-2025-54386  (opens in a new tab)
CWE-22  (opens in a new tab)
CWE-30  (opens in a new tab)

How to fix?

Upgrade Minimos:latest traefik-3 to version 3.4.5-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream traefik-3 package and not the traefik-3 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.