CVE-2025-66490

MEDIUM
Published Dec 9, 2025 Modified Mar 6, 2026 CWE-436

Description

Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \, Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3.

CVSS v3.1 Score

6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weakness Type (CWE)

CWE-436 CWE-436

Affected Products

Vendor Product
traefik traefik
traefik traefik

References

Frequently Asked Questions

What is CVE-2025-66490? +
Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \, Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3. It has a CVSS v3.1 base score of 6.5 (MEDIUM).
How severe is CVE-2025-66490? +
CVE-2025-66490 has a CVSS v3.1 score of 6.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.
What products are affected by CVE-2025-66490? +
CVE-2025-66490 affects products from traefik, specifically: traefik. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-66490? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-42274

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule …
CVE-2026-42273

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host …
CVE-2026-42272

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded …
CVE-2025-54368

uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were …
CVE-2025-25291 9.8

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml …
CVE-2026-8034 9.8

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-66490 — free, no signup required.

Start Free Scan