FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

traefik -- Bypassing security controls via special characters

Affected packages
traefik < 3.6.3

Details

VuXML ID 91b9790e-de65-11f0-b893-5404a68ad561
Discovery 2025-12-08
Entry 2025-12-21

The traefik project reports:

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set ('/', '', 'Null', ';', '?', '#'), it is possible to target a backend, exposed using another router, by-passing the middlewares chain.

[source]

References

CVE Name CVE-2025-66490
URL https://nvd.nist.gov/vuln/detail/CVE-2025-66490

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.