Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from Vendor (https://github.com/traefik/traefik).
CVSS VectorVendor: https://github.com/traefik/traefik
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
Summary
There is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth.
The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret).
ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content
An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.43
- https://github.com/traefik/traefik/releases/tag/v3.6.14
- https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
For more information
If there are any questions or comments about this advisory, please open an issue.
<details> <summary>Original Description</summary>
Summary
StripPrefixRegex uses the byte length of a decoded Path match to slice the encoded RawPath. When percent-encoded characters are in the prefix region, this produces a wrong RawPath. ForwardAuth then receives this wrong path in X-Forwarded-Uri, sees a path that doesn't match its protection rules, and approves the request. The backend serves protected content.
Details
pkg/middlewares/stripprefixregex/strip_prefix_regex.go, line 62:
req.URL.RawPath = ensureLeadingSlash(req.URL.RawPath[len(prefix):])prefix comes from matching the regex against the decoded req.URL.Path (line 51). len(prefix) is then used to index into the encoded req.URL.RawPath. These lengths don't match when percent-encoding is present.
Example with regex ^/api:
- GET /api%20/admin/secret
- Decoded Path: /api /admin/secret -> prefix = /api (4 bytes)
- Encoded RawPath: /api%20/admin/secret -> same region is 6 bytes
- RawPath[4:] = %20/admin/secret -> after ensureLeadingSlash -> /%20/admin/secret
- ForwardAuth sees X-Forwarded-Uri: /%20/admin/secret -> not /admin/* -> allows it
- Backend serves the protected admin content
PoC
Requires Docker and Docker Compose. I have a setup that runs Traefik v3.6.11 with StripPrefixRegex + ForwardAuth + a backend. It sends a normal request (blocked, 403) and an encoded request (bypasses auth, 200, returns protected data). Can share the files here if useful.
Impact
Auth bypass. Any path protected by ForwardAuth, BasicAuth, or DigestAuth can be accessed without credentials when StripPrefixRegex is in the same middleware chain. The attacker only needs to add a percent-encoded character to the prefix portion of the URL.
---
Updated PoC (reporter follow-up)
After further testing, the confirmed working exploit uses %2e (percent-encoded dot) rather than %20. Dot-segment normalization (/./ -> /) is RFC 3986 standard behavior handled automatically by Express.js, Go's http.ServeMux, Spring Boot, and others - no custom configuration needed.
Chain:
GET /api%2e/admin/secret
-> StripPrefixRegex strips /api -> RawPath becomes /./admin/secret
-> ForwardAuth sees /./admin/secret -> does not match /admin/ -> allows
-> Express normalizes /./admin/secret -> /admin/secret -> serves protected contentResults (Traefik v3.6, unmodified Express.js express.static):
GET /api/admin/secret -> 403 (blocked)
GET /api%2e/admin/secret -> 200 (bypass - served protected content)
GET /api%20/admin/secret -> 404 (space not normalized by backend)Auth server logs:
X-Forwarded-Uri: '/admin/secret' -> DENIED
X-Forwarded-Uri: '/./admin/secret' -> ALLOWEDReproduction:
docker compose up -d --build --wait
curl http://localhost:8080/api/admin/secret
# -> 403
curl --path-as-is "http://localhost:8080/api%2e/admin/secret"
# -> 200</details>
---
AnalysisAI
Authentication bypass in Traefik's StripPrefixRegex middleware allows unauthenticated remote attackers to access protected resources when combined with ForwardAuth, BasicAuth, or DigestAuth. By inserting a percent-encoded dot (%2e) in the URL prefix, attackers exploit a length mismatch between decoded path matching and encoded path slicing, causing ForwardAuth to receive a dot-segment path (/./admin/secret) that bypasses protection rules while backend servers normalize it to the protected path (/admin/secret). Confirmed with working proof-of-concept against Traefik v3.6.11. Patches released for v2.11.43, v3.6.14, and v3.7.0-rc.2. No CVSS score assigned yet, but meets criteria for high severity given complete authentication bypass with network attack vector requiring no privileges or user interaction.
Technical ContextAI
The vulnerability resides in Traefik's StripPrefixRegex middleware implementation (pkg/middlewares/stripprefixregex/strip_prefix_regex.go, line 62), which performs regex matching against the URL-decoded Path but then uses the matched string's byte length to slice the percent-encoded RawPath. This creates a byte-length mismatch when percent-encoded characters exist in the prefix region. Specifically, when %2e (encoded dot) appears in the prefix, the decoded prefix is shorter than its encoded equivalent, causing incorrect slicing that produces a dot-segment path like /./admin/secret. The ForwardAuth middleware receives this malformed path via the X-Forwarded-Uri header, which doesn't match configured protection patterns (e.g., /admin/*). However, RFC 3986-compliant backend servers automatically normalize dot-segments during path resolution, converting /./admin/secret to /admin/secret and serving the protected content. The vulnerability is rooted in CWE-706 (Use of Incorrectly-Resolved Name or Reference), where the authentication layer and backend server resolve the same URL to different paths. This affects Traefik v2.x and v3.x branches when StripPrefixRegex is chained with any authentication middleware (ForwardAuth, BasicAuth, DigestAuth). The flaw is particularly dangerous because dot-segment normalization is standard behavior in Express.js, Go's http.ServeMux, Spring Boot, and most modern web frameworks, requiring no special backend configuration.
RemediationAI
Upgrade Traefik to a patched version immediately: v2.11.43 for the v2.x branch (https://github.com/traefik/traefik/releases/tag/v2.11.43), v3.6.14 for the v3.6.x branch (https://github.com/traefik/traefik/releases/tag/v3.6.14), or v3.7.0-rc.2 or later for v3.7.x (https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2). If immediate patching is not feasible, implement one of these compensating controls: (1) Remove StripPrefixRegex middleware from any router configuration that includes ForwardAuth, BasicAuth, or DigestAuth-this eliminates the vulnerable code path but requires reconfiguring backend applications to handle full paths including prefixes; (2) Replace StripPrefixRegex with the StripPrefix middleware (non-regex version) if exact prefix matching suffices for your use case, as it does not exhibit this vulnerability; (3) Implement additional path validation in the ForwardAuth service to reject requests containing dot-segments (/./ or /../) in the X-Forwarded-Uri header-this adds defense-in-depth but may cause false positives if legitimate traffic uses these patterns; (4) Deploy a Web Application Firewall rule to block requests containing percent-encoded dots (%2e, %2E) in URL paths-this prevents exploitation but may break legitimate applications that require encoded dots. Each workaround has operational trade-offs: options 1-2 require configuration changes and possible application modifications, option 3 adds processing overhead and complexity to auth services, and option 4 risks blocking valid traffic. The vendor-supplied patch is the only complete remediation without side effects.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26428
GHSA-6jwx-7vp4-9847