CVE-2025-54386CRITICAL 9.8EPSS p59.4%

CVE-2025-54386CVE-2025-54386

Description

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.03% probability of exploitation · percentile 59.4% · 2026-06-18T12:00:27Z
Published2025-08-02
Last modified2025-11-26

Underlying weaknesses· 2

CWE-22CWE-30

References

  1. https://github.com/traefik/plugin-service/pull/71
  2. https://github.com/traefik/plugin-service/pull/72
  3. https://github.com/traefik/traefik/commit/5ef853a0c53068f69a6c229a5815a0dc6e0a8800
  4. https://github.com/traefik/traefik/pull/11911
  5. https://github.com/traefik/traefik/releases/tag/v2.11.28
  6. https://github.com/traefik/traefik/security/advisories/GHSA-q6gg-9f92-r9wg

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessPath Traversal: '\dir\..\filename'cwe-300%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-32431
CVE
CVE-2025-47952
CVE
CVE-2026-40912
CVE
CVE-2026-35051
CVE
CVE-2026-44774
CVE
CVE-2026-45630
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.