Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability resides in Traefik’s StripPrefixRegex middleware. When handling a request, the middleware first decodes the URL path and matches it against a regex pattern (e.g., ^/api). It extracts the matched prefix from the decoded path and uses the byte length of that prefix (len(prefix)) to slice the encoded raw path (req.URL.RawPath). However, if the prefix contains percent-encoded characters, the byte lengths differ because encoded characters occupy more bytes (e.g., `%2e` is 3 bytes vs `.` is 1 byte). This mismatch causes `RawPath` to be sliced incorrectly. For a request like GET /api%2e/admin/secret, the decoded path is `/api./admin/secret` and the prefix match is `/api` (4 bytes). The encoded `RawPath` is `/api%2e/admin/secret` – slicing from index 4 yields %2e/admin/secret, which after `ensureLeadingSlash` becomes /.%2e/admin/secret? Actually careful: The shows `/api%2e` gives `%2e/admin/secret` then leading slash -> /.%2e/admin/secret? But the updated PoC says the raw path becomes `/./admin/secret` because `%2e` decodes to a dot. Wait: The middleware does not decode again; it slices the encoded string. For %2e, the encoded `RawPath` contains the literal characters %2e. Slicing after `/api` (which is 4 chars) gives %2e/admin/secret. Then `ensureLeadingSlash` adds a slash at front -> /%2e/admin/secret. That string is passed to `ForwardAuth` as X-Forwarded-Uri. The auth server sees `/%2e/admin/secret` and, assuming it doesn’t match protected paths like /admin/, allows the request. The backend, however, normalizes `%2e` to `.` and then interprets `/.` as a dot-segment per RFC 3986, which collapses to /, resulting in /admin/secret. Thus the protected content is served without authentication. The attacker only needs to inject `%2e` (percent-encoded dot) into the prefix portion of the URL.
dailycve form:
Platform: Traefik
Version: v3.6.11 (and possibly others)
Vulnerability: Auth bypass via path normalization
Severity: Critical
date: 2024-04-24 (approximate from disclosure)
Prediction: Patch expected within 2 weeks (already fixed in v3.7.0?)
Analytics under heading What Undercode Say:
Count requests with encoded dots in prefix
grep -E "%2[bash]" /var/log/traefik/access.log | wc -l
Simulate attack with curl
curl --path-as-is "http://localhost:8080/api%2e/admin/secret"
Test for vulnerable middleware chain using custom script
for enc in %2e %2E .%2e; do curl -s -o /dev/null -w "%{http_code}\n" "http://target/api${enc}/admin/secret"; done
Exploit:
Direct bypass using %2e (URL-encoded dot) curl --path-as-is "http://<traefik-host>:8080/api%2e/admin/secrets" Alternatively use double dot normalization curl --path-as-is "http://<traefik-host>:8080/api%2e%2e/admin/secrets" For BasicAuth-protected endpoints, add any credentials (they are ignored) curl -u fake:fake --path-as-is "http://<traefik-host>:8080/api%2e/admin/config"
Protection from this CVE:
- Upgrade Traefik to a patched version (v3.7.0 or higher) – official fix adjusts length calculation.
- As a temporary workaround, avoid using `StripPrefixRegex` together with
ForwardAuth,BasicAuth, or `DigestAuth` on the same router. - Implement additional input validation middleware that rejects URLs containing `%2e` (or
%2E) before the path normalization step. - Use a reverse proxy with stricter path handling (e.g., nginx with `merge_slashes off` and explicit deny for dot-segments).
Impact:
- Unauthenticated attackers can access any protected endpoint that relies on
ForwardAuth,BasicAuth, or `DigestAuth` when `StripPrefixRegex` is in the chain. - Backends that normalize dot-segments per RFC 3986 (Express.js, Go
http.ServeMux, Spring Boot, etc.) are vulnerable, turning `/.` or `/./` into/. - The bypass works silently – no login attempts or anomalies appear in auth logs for the real path; only dot-segment paths are logged.
- Critical severity because it completely nullifies authentication for many routes, leading to data exposure, configuration retrieval, and potential remote code execution if admin endpoints are exposed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

