Traefik allows path traversal using url encoding

Impact There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. Example yaml apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: my-service spec: routes: – match: PathPrefix(‘/service’) kind: Rule services: – name: service-a port: 8080 middlewares: – name: my-middleware-a – match: PathPrefix(‘/service/sub-path’) kind: Rule services: – name: service-a port: 8080 In such a case, the request https://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is https://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a). Patches https://github.com/traefik/traefik/releases/tag/v2.11.25 https://github.com/traefik/traefik/releases/tag/v3.4.1 For more information If you have any questions or comments about this advisory, please open an issue. Original Description ### Summary Path traversal with "/../" using URL encodings ("/%2e%2e") allows for circumventing routing rules. ### Details When having defined a route,…Read More