vulnerability

FreeBSD: VID-91b9790e-de65-11f0-b893-5404a68ad561 (CVE-2025-66490): traefik -- Bypassing security controls via special characters

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:P/I:P/A:N)	Dec 21, 2025	Jan 27, 2026	Jan 27, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Dec 21, 2025

Added

Jan 27, 2026

Modified

Jan 27, 2026

Description

The traefik project reports: There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set ('/', '', 'Null', ';', '?', '#'), it is possible to target a backend, exposed using another router, by-passing the middlewares chain.

Solution

freebsd-upgrade-package-traefik

References

CVE-2025-66490
https://attackerkb.com/topics/CVE-2025-66490
CWE-436

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today