ghsa-q6gg-9f92-r9wg
Vulnerability from github
Published
2025-08-01 18:08
Modified
2025-08-04 15:28
Severity ?
7.3 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Summary
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
Details

Summary

A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. ✅ After investigation, it is confirmed that no plugins on the Catalog were affected. There is no known impact.

Details

The vulnerability resides in the WASM plugin extraction logic, specifically in the unzipFile function (/plugins/client.go). The application constructs file paths during ZIP extraction using filepath.Join(destDir, f.Name) without validating or sanitizing f.Name. If the ZIP archive contains entries with ../, the resulting path can escape the intended directory, allowing writes to arbitrary locations on the host filesystem.

Attack Requirements

There are several requirements needed to make this attack possible: - The Traefik server should be deployed with plugins enabled with a WASM plugin (yaegi plugins are not impacted). - The attacker should have write access to a remote plugin asset loaded by the Traefik server - The attacker should craft a malicious version of this plugin

Warning

As clearly stated in the documentation, plugins are experimental in Traefik, and unsafe plugins could damage your infrastructure:

Experimental Features Plugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.

Impact

This vulnerability did not affect any plugin from the catalog. There is no known impact. Additionally, the catalog will also prevent any compromised plugin to be available across all Traefik versions. This vulnerability could allow an attacker to perform arbitrary file write outside the intended plugin extraction directory by crafting a malicious ZIP archive that includes ../ (directory traversal) in file paths.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.27"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.5.0-rc2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0-rc1"
            },
            {
              "fixed": "3.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-30"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-01T18:08:15Z",
    "nvd_published_at": "2025-08-02T00:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA path traversal vulnerability was discovered in WASM Traefik\u2019s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with `../` sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.\n **\u2705 After investigation, it is confirmed that no plugins on the [Catalog](https://plugins.traefik.io/plugins) were affected. There is no known impact.**\n\n### Details\nThe vulnerability resides in the WASM plugin extraction logic, specifically in the `unzipFile` function (`/plugins/client.go`). The application constructs file paths during ZIP extraction using `filepath.Join(destDir, f.Name)` without validating or sanitizing `f.Name`. If the ZIP archive contains entries with `../`, the resulting path can escape the intended directory, allowing writes to arbitrary locations on the host filesystem.\n\n### Attack Requirements\nThere are several requirements needed to make this attack possible:\n- The Traefik server should be deployed with [plugins enabled](https://doc.traefik.io/traefik/plugins/) with a WASM plugin (yaegi plugins are not impacted).\n- The attacker should have write access to a remote plugin asset loaded by the Traefik server\n- The attacker should craft a malicious version of this plugin\n\n### Warning\nAs clearly stated in the [documentation](https://doc.traefik.io/traefik/plugins/), plugins are experimental in Traefik, and unsafe plugins could damage your infrastructure:\n\n\u003e **Experimental Features**\nPlugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.\n\n### Impact\n**This vulnerability did not affect any plugin from the catalog. There is no known impact. \nAdditionally, the catalog will also prevent any compromised plugin to be available across all Traefik versions.**\nThis vulnerability could allow an attacker to perform arbitrary file write outside the intended plugin extraction directory by crafting a malicious ZIP archive that includes `../` (directory traversal) in file paths.",
  "id": "GHSA-q6gg-9f92-r9wg",
  "modified": "2025-08-04T15:28:05Z",
  "published": "2025-08-01T18:08:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/plugin-service/pull/71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/plugin-service/pull/72"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/pull/11911"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik Client Plugin\u0027s Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.