CVE-2025-54386

Aliases:GHSA-q6gg-9f92-r9wgGO-2025-3835

Advisory lineage Upstream: 0 Downstream: 3

Downstream

OPENSUSE-SU-2025:15434-1 OPENSUSE-SU-2026:10143-1 SUSE-SU-2025:02912-1

Analyzed

Published: 01 Aug 2025, 23:32

Last modified:04 Aug 2025, 15:28

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

3.36% LOW

3% probability +2.70%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

01 Aug 2025, 23:32

Published

Vulnerability first disclosed

04 Aug 2025, 15:28

Last Modified

Vulnerability information updated

Description

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

CVSS Metrics

v4.0•HIGH•Score: 7.3CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
v4.0•HIGH•Score: 7.3CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 3.36%• Percentile: 88%

Techniques & Countermeasures

CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-30•Path Traversal: '\dir\..\filename'
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\dir\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

Affected Systems

github.com/traefik•traefik
all
github.com/traefik/traefik•v2
< 2.11.28
github.com/traefik/traefik•v3
< 3.4.5 | ≥ 3.5.0-rc1, < 3.5.0
traefik•traefik
< 2.11.28 | < 3.4.5 | ≥ 3.5.0-rc1, < 3.5.0-rc2 | < 2.11.7 | ≥ 3.0.0, < 3.4.4 | 3.5.0 | 3.5.0:rc1 | 3.5.0:rc2