CVE-2025-54386: Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
(updated )
A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.
✅ After investigation, it is confirmed that no plugins on the Catalog were affected. There is no known impact.
References
- github.com/advisories/GHSA-q6gg-9f92-r9wg
- github.com/traefik/plugin-service/pull/71
- github.com/traefik/plugin-service/pull/72
- github.com/traefik/traefik
- github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800
- github.com/traefik/traefik/pull/11911
- github.com/traefik/traefik/releases/tag/v2.11.28
- github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg
- nvd.nist.gov/vuln/detail/CVE-2025-54386
Code Behaviors & Features
Detect and mitigate CVE-2025-54386 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →