CVE-2025-54386 Overview
CVE-2025-54386 is a path traversal vulnerability discovered in Traefik's WASM plugin installation mechanism. Traefik is a widely-used HTTP reverse proxy and load balancer commonly deployed in containerized and microservices environments. The vulnerability exists in versions 2.11.27 and below, 3.0.0 through 3.4.4, and 3.5.0-rc1. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This "Zip Slip" style attack can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.
Critical Impact
Successful exploitation allows attackers to overwrite arbitrary files on the system through malicious plugin archives, potentially leading to remote code execution, privilege escalation, or complete system compromise.
Affected Products
- Traefik versions 2.11.27 and below
- Traefik versions 3.0.0 through 3.4.4
- Traefik versions 3.5.0-rc1 and 3.5.0-rc2
Discovery Timeline
- 2025-08-02 - CVE-2025-54386 published to NVD
- 2025-11-26 - Last updated in NVD database
Technical Details for CVE-2025-54386
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists within Traefik's plugin service when handling ZIP archive extraction for WASM plugin installation. The vulnerability is classified as a "Zip Slip" attack, where specially crafted ZIP archives can escape the intended extraction directory.
When Traefik extracts plugin archives, it fails to properly sanitize file paths contained within the ZIP file. An attacker can craft a malicious archive where filenames include path traversal sequences such as ../../../etc/cron.d/malicious or ../../../root/.ssh/authorized_keys. Upon extraction, these files are written outside the plugin directory to arbitrary locations on the filesystem.
The network-based attack vector requires certain privileges and user interaction, but the potential impact is severe across confidentiality, integrity, and availability. Successful exploitation could allow an attacker to overwrite system binaries, configuration files, or inject malicious code that executes with Traefik's privileges.
Root Cause
The root cause is insufficient input validation during ZIP archive extraction in the plugin client code (pkg/plugins/client.go). The extraction routine did not properly validate or sanitize file paths extracted from ZIP entries before writing them to disk. This allowed relative path components (../) to be preserved, enabling directory escape during file creation.
The fix implements proper path validation in the unzipArchive function to ensure extracted files remain within the intended plugin directory boundary.
Attack Vector
The attack is network-based and requires an attacker to supply a malicious WASM plugin archive through Traefik's plugin installation mechanism. The attack flow involves:
- Attacker creates a malicious ZIP archive containing files with traversal paths (e.g., ../../../../tmp/exploit.sh)
- The archive is submitted through the plugin installation workflow
- Traefik's plugin client extracts the archive without proper path sanitization
- Files are written to arbitrary locations outside the plugin directory
- Attacker achieves code execution, privilege escalation, or denial of service depending on which files are overwritten
return nil
}
+ // Unzip as a generic archive if the module unzip fails.
+ // This is useful for plugins that have vendor directories or other structures.
return c.unzipArchive(pName, pVersion)
}
Source: GitHub Commit 5ef853a
Detection Methods for CVE-2025-54386
Indicators of Compromise
- Unusual file modifications in system directories (/etc/, /usr/, /root/) coinciding with plugin installation activity
- Plugin installation logs showing suspicious archive names or unexpected extraction paths
- Files created outside Traefik's plugin directory that appear during or after plugin operations
- Unexpected cron jobs, SSH keys, or system configuration changes following Traefik plugin activity
Detection Strategies
- Monitor Traefik plugin installation logs for suspicious activity or errors during extraction
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
- Audit all plugin archives before installation using archive inspection tools to identify traversal sequences
- Deploy behavioral analysis to detect Traefik processes writing to unexpected filesystem locations
Monitoring Recommendations
- Enable verbose logging for Traefik plugin operations and forward logs to SIEM solutions
- Set up alerts for file system modifications in sensitive directories during plugin installation windows
- Monitor for processes spawned by Traefik that execute from non-standard locations
- Implement network monitoring to detect unusual outbound connections following plugin installations
How to Mitigate CVE-2025-54386
Immediate Actions Required
- Upgrade Traefik immediately to patched versions: 2.11.28, 3.4.5, or 3.5.0
- Review recently installed plugins and verify the integrity of plugin archives
- Audit the filesystem for any unexpected files that may have been written during plugin installations
- Restrict plugin installation permissions to trusted administrators only
Patch Information
Traefik has released security patches addressing this vulnerability. The fix is available in versions 2.11.28, 3.4.5, and 3.5.0. Organizations should upgrade to these versions immediately. Detailed patch information is available in the GitHub Security Advisory GHSA-q6gg-9f92-r9wg and the GitHub Release v2.11.28.
The security fix was implemented through GitHub Pull Request #11911 and related plugin service changes in GitHub Pull Request #71 and GitHub Pull Request #72.
Workarounds
- Disable WASM plugin installation capabilities until patches can be applied
- Implement network-level controls to restrict access to plugin installation endpoints
- Use container security policies to restrict Traefik's filesystem write permissions
- Manually validate all plugin ZIP archives for path traversal sequences before installation
# Example: Check ZIP archive for path traversal sequences before installation
unzip -l plugin.zip | grep -E '\.\./|\.\.\\' && echo "WARNING: Potential path traversal detected"
# Restrict Traefik plugin directory permissions
chmod 750 /etc/traefik/plugins
chown traefik:traefik /etc/traefik/plugins
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
