Skip to content

x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-q6gg-9f92-r9wg #3835

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-q6gg-9f92-r9wg#3835
Labels
triaged
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Aug 1, 2025

Advisory GHSA-q6gg-9f92-r9wg references a vulnerability in the following Go modules:

Module
github.com/traefik/traefik
github.com/traefik/traefik/v2
github.com/traefik/traefik/v3

Description:

Summary

A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.
✅ After investigation, it is confirmed that no plugins on the Catalog were affected. There is no known impact.

Details

The vulnerability resides in t...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/traefik/traefik
      non_go_versions:
        - introduced: TODO (earliest fixed "2.11.28", vuln range "<= 2.11.27")
        - introduced: TODO (earliest fixed "3.5.0", vuln range ">= 3.5.0-rc1, <= 3.5.0-rc2")
        - introduced: TODO (earliest fixed "3.4.5", vuln range "<= 3.4.4")
      vulnerable_at: 1.7.34
    - module: github.com/traefik/traefik/v2
      vulnerable_at: 2.11.28
    - module: github.com/traefik/traefik/v3
      vulnerable_at: 3.5.0
summary: |-
    Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File
    Overwrite and Remote Code Execution in github.com/traefik/traefik
cves:
    - CVE-2025-54386
ghsas:
    - GHSA-q6gg-9f92-r9wg
references:
    - advisory: https://github.com/advisories/GHSA-q6gg-9f92-r9wg
    - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg
    - fix: https://github.com/traefik/plugin-service/pull/71
    - fix: https://github.com/traefik/plugin-service/pull/72
    - fix: https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800
    - fix: https://github.com/traefik/traefik/pull/11911
    - web: https://github.com/traefik/traefik/releases/tag/v2.11.28
notes:
    - fix: 'module merge error: could not merge versions of module github.com/traefik/traefik: invalid or non-canonical semver version (found TODO (earliest fixed "3.5.0", vuln range ">= 3.5.0-rc1, <= 3.5.0-rc2"))'
source:
    id: GHSA-q6gg-9f92-r9wg
    created: 2025-08-01T19:01:19.085071999Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

No one assigned

    Labels

    triaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions