cvelistv5 - cve-2025-47952

CVE-2025-47952 (GCVE-0-2025-47952)

Vulnerability from cvelistv5

Published

2025-05-30 03:37

Modified

2025-05-30 12:44

Severity ?

2.9 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.

References

►

URL

	Vendor	Product	Version
	traefik	traefik	Version: < 3.4.1 Version: < 2.11.25

fkie_cve-2025-47952

Vulnerability from fkie_nvd

Published

2025-05-30 04:15

Modified

2025-05-30 16:31

Severity ?

2.9 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v2.11.25
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.4.1
	security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it\u2019s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1."
    },
    {
      "lang": "es",
      "value": "Traefik (pronunciado \"traffic\") es un proxy inverso HTTP y balanceador de carga. En versiones anteriores a la 2.11.25 y la 3.4.1, exist\u00eda una vulnerabilidad potencial en Traefik al gestionar las solicitudes mediante un comparador PathPrefix, Path o PathRegex. Cuando Traefik se configura para enrutar las solicitudes a un backend mediante un comparador basado en la ruta, si la URL contiene una cadena codificada, es posible atacar un backend expuesto mediante otro enrutador, omitiendo la cadena de middleware. Este problema se ha corregido en las versiones 2.11.25 y la 3.4.1."
    }
  ],
  "id": "CVE-2025-47952",
  "lastModified": "2025-05-30T16:31:03.107",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.9,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-30T04:15:46.900",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.25"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.4.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-vrch-868g-9jx5

Vulnerability from github

Published

2025-05-28 14:25

Modified

2025-05-30 15:17

Severity ?

2.9 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Summary

Traefik allows path traversal using url encoding

Details

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

yaml apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: my-service spec: routes: - match: PathPrefix(‘/service’) kind: Rule services: - name: service-a port: 8080 middlewares: - name: my-middleware-a - match: PathPrefix(‘/service/sub-path’) kind: Rule services: - name: service-a port: 8080

In such a case, the request http://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.25
https://github.com/traefik/traefik/releases/tag/v3.4.1

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary Path traversal with "/../" using URL encodings ("/%2e%2e") allows for circumventing routing rules. ### Details When having defined a route, you can path traverse using the URL encoded variant of /../ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /../ and has been fixed in this CVE. This URL encoding trick works around that https://nvd.nist.gov/vuln/detail/CVE-2025-32431 Simply implementing a check on the URL encoding won't be sufficient as path traversal can take numerous formats. See examples here: https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html ### PoC Setup a service with two endpoints: "/public" and "/private", which returns a 200 OK for both Setup a Traefik proxy with a single route which points to the service using path /public Regular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik) When making a request to /public/%2e%2e/private you should receive a 200 OK. ### Impact Impacts all traefik implementations with path prefix routes that expose only part of the downstream api ### Suggestion Provide configuration property which disables all path traversals. Steps: 1. Decode URL 2. Evaluate and construct relative path (do traversal before route evaluation) 3. Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.24"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T14:25:09Z",
    "nvd_published_at": "2025-05-30T04:15:46Z",
    "severity": "LOW"
  },
  "details": "## Impact\n\nThere is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher.\n\nWhen Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it\u2019s possible to target a backend, exposed using another router, by-passing the middlewares chain.\n\n## Example\n\n```yaml\napiVersion: traefik.io/v1alpha1\nkind: IngressRoute\nmetadata:\n  name: my-service\nspec:\n  routes:\n    - match: PathPrefix(\u2018/service\u2019)\n      kind: Rule\n      services:\n        - name: service-a\n          port: 8080\n      middlewares:\n        - name: my-middleware-a\n    - match: PathPrefix(\u2018/service/sub-path\u2019)\n      kind: Rule\n      services:\n        - name: service-a\n          port: 8080\n```\n\nIn such a case, the request `http://mydomain.example.com/service/sub-path/%2e%2e/other-path` will reach the backend `my-service-a` without operating the middleware `my-middleware-a` unless the computed path is `http://mydomain.example.com/service/other-path` and should be computes by the first router (operating `my-middleware-a`).\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.25\n- https://github.com/traefik/traefik/releases/tag/v3.4.1\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n### Summary\n\nPath traversal with \"/../\" using URL encodings (\"/%2e%2e\") allows for circumventing routing rules. \n\n### Details\n\nWhen having defined a route, you can path traverse using the URL encoded variant of /../ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /../ and has been fixed in this CVE. This URL encoding trick works around that\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32431\n\nSimply implementing a check on the URL encoding won\u0027t be sufficient as path traversal can take numerous formats. See examples here:\nhttps://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html\n\n### PoC\n\nSetup a service with two endpoints: \"/public\" and \"/private\", which returns a 200 OK for both\nSetup a Traefik proxy with a single route which points to the service using path /public\n\nRegular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik)\nWhen making a request to /public/%2e%2e/private you should receive a 200 OK.\n\n### Impact\nImpacts all traefik implementations with path prefix routes that expose only part of the downstream api\n\n### Suggestion\nProvide configuration property which disables all path traversals. Steps:\n1. Decode URL\n2. Evaluate and construct relative path (do traversal before route evaluation)\n3. Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp)\n\u003c/details\u003e",
  "id": "GHSA-vrch-868g-9jx5",
  "modified": "2025-05-30T15:17:40Z",
  "published": "2025-05-28T14:25:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-vrch-868g-9jx5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47952"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/commit/08d5dfee0164aa54dd44a467870042e18e8d3f00"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.25"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.4.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik allows path traversal using url encoding"
}

opensuse-su-2025:15304-1

Vulnerability from csaf_opensuse

Published

2025-07-03 00:00

Modified

2025-07-03 00:00

Summary

traefik-3.4.3-1.1 on GA media

Notes

Title of the patch

traefik-3.4.3-1.1 on GA media

Description of the patch

These are all security issues fixed in the traefik-3.4.3-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15304

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik-3.4.3-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik-3.4.3-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15304",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15304-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-4533 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-4533/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45338 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45338/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22868 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22868/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22869 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22869/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22872 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22872/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-27144 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-27144/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-47952 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-47952/"
      }
    ],
    "title": "traefik-3.4.3-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-07-03T00:00:00Z",
      "generator": {
        "date": "2025-07-03T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15304-1",
      "initial_release_date": "2025-07-03T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-07-03T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.4.3-1.1.aarch64",
                "product": {
                  "name": "traefik-3.4.3-1.1.aarch64",
                  "product_id": "traefik-3.4.3-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.4.3-1.1.ppc64le",
                "product": {
                  "name": "traefik-3.4.3-1.1.ppc64le",
                  "product_id": "traefik-3.4.3-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.4.3-1.1.s390x",
                "product": {
                  "name": "traefik-3.4.3-1.1.s390x",
                  "product_id": "traefik-3.4.3-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.4.3-1.1.x86_64",
                "product": {
                  "name": "traefik-3.4.3-1.1.x86_64",
                  "product_id": "traefik-3.4.3-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64"
        },
        "product_reference": "traefik-3.4.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le"
        },
        "product_reference": "traefik-3.4.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.4.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x"
        },
        "product_reference": "traefik-3.4.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
        },
        "product_reference": "traefik-3.4.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-4533",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-4533"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The KKProgressbar2 Free  WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-4533",
          "url": "https://www.suse.com/security/cve/CVE-2024-4533"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-4533"
    },
    {
      "cve": "CVE-2024-45338",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45338"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45338",
          "url": "https://www.suse.com/security/cve/CVE-2024-45338"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234794 for CVE-2024-45338",
          "url": "https://bugzilla.suse.com/1234794"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-45338"
    },
    {
      "cve": "CVE-2025-22868",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22868"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22868",
          "url": "https://www.suse.com/security/cve/CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239185 for CVE-2025-22868",
          "url": "https://bugzilla.suse.com/1239185"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239186 for CVE-2025-22868",
          "url": "https://bugzilla.suse.com/1239186"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-22868"
    },
    {
      "cve": "CVE-2025-22869",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22869"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22869",
          "url": "https://www.suse.com/security/cve/CVE-2025-22869"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239322 for CVE-2025-22869",
          "url": "https://bugzilla.suse.com/1239322"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-22869"
    },
    {
      "cve": "CVE-2025-22872",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22872"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22872",
          "url": "https://www.suse.com/security/cve/CVE-2025-22872"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1241710 for CVE-2025-22872",
          "url": "https://bugzilla.suse.com/1241710"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-22872"
    },
    {
      "cve": "CVE-2025-27144",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-27144"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-27144",
          "url": "https://www.suse.com/security/cve/CVE-2025-27144"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1237608 for CVE-2025-27144",
          "url": "https://bugzilla.suse.com/1237608"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1237609 for CVE-2025-27144",
          "url": "https://bugzilla.suse.com/1237609"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-27144"
    },
    {
      "cve": "CVE-2025-47952",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-47952"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it\u0027s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
          "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-47952",
          "url": "https://www.suse.com/security/cve/CVE-2025-47952"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243818 for CVE-2025-47952",
          "url": "https://bugzilla.suse.com/1243818"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.s390x",
            "openSUSE Tumbleweed:traefik-3.4.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-47952"
    }
  ]
}

opensuse-su-2025:15188-1

Vulnerability from csaf_opensuse

Published

2025-06-01 00:00

Modified

2025-06-01 00:00

Summary

govulncheck-vulndb-0.0.20250529T205903-1.1 on GA media

Notes

Title of the patch

govulncheck-vulndb-0.0.20250529T205903-1.1 on GA media

Description of the patch

These are all security issues fixed in the govulncheck-vulndb-0.0.20250529T205903-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15188

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "govulncheck-vulndb-0.0.20250529T205903-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250529T205903-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15188",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15188-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:15188-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5W5NDYFJCKVTB2UYZO6OSRFA7RGWGHY3/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:15188-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5W5NDYFJCKVTB2UYZO6OSRFA7RGWGHY3/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-4057 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-4057/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-47933 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-47933/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-47952 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-47952/"
      }
    ],
    "title": "govulncheck-vulndb-0.0.20250529T205903-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-06-01T00:00:00Z",
      "generator": {
        "date": "2025-06-01T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15188-1",
      "initial_release_date": "2025-06-01T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-06-01T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
                  "product_id": "govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
                  "product_id": "govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
                  "product_id": "govulncheck-vulndb-0.0.20250529T205903-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64",
                  "product_id": "govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.s390x"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-4057",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-4057"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in ActiveMQ Artemis. The password generated by activemq-artemis-operator does not regenerate between separated CR dependencies.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-4057",
          "url": "https://www.suse.com/security/cve/CVE-2025-4057"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-01T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-4057"
    },
    {
      "cve": "CVE-2025-47933",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-47933"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-47933",
          "url": "https://www.suse.com/security/cve/CVE-2025-47933"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243791 for CVE-2025-47933",
          "url": "https://bugzilla.suse.com/1243791"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-01T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-47933"
    },
    {
      "cve": "CVE-2025-47952",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-47952"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it\u0027s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-47952",
          "url": "https://www.suse.com/security/cve/CVE-2025-47952"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243818 for CVE-2025-47952",
          "url": "https://bugzilla.suse.com/1243818"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250529T205903-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-01T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-47952"
    }
  ]
}

opensuse-su-2025:15305-1

Vulnerability from csaf_opensuse

Published

2025-07-03 00:00

Modified

2025-07-03 00:00

Summary

traefik2-2.11.26-1.1 on GA media

Notes

Title of the patch

traefik2-2.11.26-1.1 on GA media

Description of the patch

These are all security issues fixed in the traefik2-2.11.26-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15305

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik2-2.11.26-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik2-2.11.26-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15305",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15305-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-28180 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-28180/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-45338 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-45338/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22868 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22868/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22869 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22869/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22871 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22871/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22872 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22872/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-27144 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-27144/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-32431 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-32431/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-47952 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-47952/"
      }
    ],
    "title": "traefik2-2.11.26-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-07-03T00:00:00Z",
      "generator": {
        "date": "2025-07-03T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15305-1",
      "initial_release_date": "2025-07-03T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-07-03T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.26-1.1.aarch64",
                "product": {
                  "name": "traefik2-2.11.26-1.1.aarch64",
                  "product_id": "traefik2-2.11.26-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.26-1.1.ppc64le",
                "product": {
                  "name": "traefik2-2.11.26-1.1.ppc64le",
                  "product_id": "traefik2-2.11.26-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.26-1.1.s390x",
                "product": {
                  "name": "traefik2-2.11.26-1.1.s390x",
                  "product_id": "traefik2-2.11.26-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.26-1.1.x86_64",
                "product": {
                  "name": "traefik2-2.11.26-1.1.x86_64",
                  "product_id": "traefik2-2.11.26-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.26-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64"
        },
        "product_reference": "traefik2-2.11.26-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.26-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le"
        },
        "product_reference": "traefik2-2.11.26-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.26-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x"
        },
        "product_reference": "traefik2-2.11.26-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.26-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        },
        "product_reference": "traefik2-2.11.26-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-28180",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-28180"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-28180",
          "url": "https://www.suse.com/security/cve/CVE-2024-28180"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234984 for CVE-2024-28180",
          "url": "https://bugzilla.suse.com/1234984"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-28180"
    },
    {
      "cve": "CVE-2024-45338",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-45338"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-45338",
          "url": "https://www.suse.com/security/cve/CVE-2024-45338"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234794 for CVE-2024-45338",
          "url": "https://bugzilla.suse.com/1234794"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-45338"
    },
    {
      "cve": "CVE-2025-22868",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22868"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22868",
          "url": "https://www.suse.com/security/cve/CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239185 for CVE-2025-22868",
          "url": "https://bugzilla.suse.com/1239185"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239186 for CVE-2025-22868",
          "url": "https://bugzilla.suse.com/1239186"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-22868"
    },
    {
      "cve": "CVE-2025-22869",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22869"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22869",
          "url": "https://www.suse.com/security/cve/CVE-2025-22869"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239322 for CVE-2025-22869",
          "url": "https://bugzilla.suse.com/1239322"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-22869"
    },
    {
      "cve": "CVE-2025-22871",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22871"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22871",
          "url": "https://www.suse.com/security/cve/CVE-2025-22871"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1240550 for CVE-2025-22871",
          "url": "https://bugzilla.suse.com/1240550"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-22871"
    },
    {
      "cve": "CVE-2025-22872",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22872"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22872",
          "url": "https://www.suse.com/security/cve/CVE-2025-22872"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1241710 for CVE-2025-22872",
          "url": "https://bugzilla.suse.com/1241710"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-22872"
    },
    {
      "cve": "CVE-2025-27144",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-27144"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-27144",
          "url": "https://www.suse.com/security/cve/CVE-2025-27144"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1237608 for CVE-2025-27144",
          "url": "https://bugzilla.suse.com/1237608"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1237609 for CVE-2025-27144",
          "url": "https://bugzilla.suse.com/1237609"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-27144"
    },
    {
      "cve": "CVE-2025-32431",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-32431"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it\u0027s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a `PathRegexp` rule to the matcher to prevent matching a route with a `/../` in the path.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-32431",
          "url": "https://www.suse.com/security/cve/CVE-2025-32431"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-32431"
    },
    {
      "cve": "CVE-2025-47952",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-47952"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it\u0027s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.25 and 3.4.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-47952",
          "url": "https://www.suse.com/security/cve/CVE-2025-47952"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243818 for CVE-2025-47952",
          "url": "https://bugzilla.suse.com/1243818"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.26-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-47952"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-47952 (GCVE-0-2025-47952)

Vulnerability from cvelistv5

fkie_cve-2025-47952

Vulnerability from fkie_nvd

ghsa-vrch-868g-9jx5

Vulnerability from github

Impact

Example

Patches

For more information

opensuse-su-2025:15304-1

Vulnerability from csaf_opensuse

opensuse-su-2025:15188-1

Vulnerability from csaf_opensuse

opensuse-su-2025:15305-1

Vulnerability from csaf_opensuse

Tags

Sightings

Nomenclature