CVE-2025-66490: Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-66490

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules

Source: NVD (National Vulnerability Database)

Vulnerability Description

Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \, Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

解释冲突

Source: NVD (National Vulnerability Database)

Vulnerability Title

Traefik 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Traefik是Traefik开源的一款开源的反向代理与负载均衡工具。 Traefik 2.11.31版本至3.6.2版本存在安全漏洞，该漏洞源于路径规范化绕过，可能导致请求绕过安全控制。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
traefik	traefik	github.com/traefik/traefik/v3 < 3.6.3	-

II. Public POCs for CVE-2025-66490

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-66490

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: traefik

Same vendor: traefik

Same weakness: CWE-436

V. Comments for CVE-2025-66490

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2025-66490

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-66490

III. Intelligence Information for CVE-2025-66490

IV. Related Vulnerabilities

V. Comments for CVE-2025-66490

Leave a comment