CVE-2025-66490: Path Normalization Bypass in Traefik Router + Middleware Rules

December 8, 2025 (updated December 17, 2025)

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set (’/’, ‘', ‘Null’, ‘;’, ‘?’, ‘#’), it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Access Control Bypass: Any endpoint intended to be blocked (e.g., admin/debug/beta APIs) can be accessed by URL-encoding slashes or other characters.

This could lead to:

Unauthorized access to restricted endpoints
Execution of protected internal functionality
Potential privilege escalation
Bypass of security policies enforced via Traefik routing rules

References

Code Behaviors & Features

Detect and mitigate CVE-2025-66490 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →