Traefik is a powerful, open-source HTTP reverse proxy and load balancer used by developers and system administrators to manage and route incoming traffic to their applications. A recent vulnerability, identified under CVE-2023-47106, has been discovered in the way Traefik handles URL fragments. This vulnerability allows malicious actors to bypass access control restrictions on the frontend proxy by exploiting this URL encoding behavior.


1. Traefik:
2. CVE-2023-47106:
3. RFC 723:

Consider this setup where Traefik routes requests to a backend server -> Traefik ->

When a request comes in with a URL fragment, such as

Traefik performs URL encoding on the fragment, and sends the following request to the backend server

As per RFC 723, URL fragments should not be included in the origin-form sent to the backend server. The URL should only contain the absolute path and the query, not the fragment itself.

This vulnerability can be exploited when Traefik is used in conjunction with another frontend proxy, like Nginx. If Nginx is blocking access to a specific path, a malicious actor could craft a URL with a fragment in such a way that the URL-encoded path bypasses the access control restrictions in place.

For example, consider the following Nginx access control configuration

location /sensitive-page {
  deny all;

A malicious user could construct this URL

When processed by Traefik, the request sent to the backend server would be

This request would bypass the Nginx access control rule, potentially granting unauthorized access to sensitive information.


This vulnerability has been addressed in Traefik versions 2.10.6 and 3..-beta5. Users are advised to upgrade their Traefik installations to one of these versions to mitigate this risk.

No known workarounds exist for this vulnerability; upgrading is the recommended course of action.


CVE-2023-47106 represents a significant vulnerability in Traefik's handling of URL fragments. By upgrading to a version with the patch, developers and system administrators can protect their applications and infrastructure from potentially severe consequences due to unauthorized access. It's important to stay informed of such developments in the security landscape, and always take precautions by keeping software up-to-date and regularly reviewing security practices.


Published on: 12/04/2023 21:15:33 UTC
Last modified on: 12/07/2023 21:01:57 UTC