Upstream information

CVE-2025-47952 at MITRE

Description

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it's possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.

SUSE information

Overall state of this security issue: Resolved

This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.

CVSS v4 Scores
  CNA (GitHub)
Base Score 2.9
Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User Interaction None
Vulnerable System Confidentiality Impact Low
Vulnerable System Integrity Impact Low
Vulnerable System Availability Impact None
Subsequent System Confidentiality Impact None
Subsequent System Integrity Impact None
Subsequent System Availability Impact None
CVSSv4 Version 4.0
SUSE Bugzilla entry: 1243818 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • govulncheck-vulndb >= 0.0.20250529T205903-1.1
  • traefik >= 3.4.3-1.1
  • traefik2 >= 2.11.26-1.1
Patchnames:
openSUSE-Tumbleweed-2025-15188
openSUSE-Tumbleweed-2025-15304
openSUSE-Tumbleweed-2025-15305


SUSE Timeline for this CVE

CVE page created: Fri May 30 08:00:24 2025
CVE page last modified: Fri Jul 4 12:44:11 2025