On December 6, 2025, we patched the following vulnerabilities with Traefik Proxy 2.11.32 and 3.6.4:
Breaking Change, check the migration guide for this version.If you have any questions or comments about this vulnerability, please add a comment.
@nicomengin Thanks for the update.
Does this change mean that percent encoding with % is still permitted for normal URL escaping, but specifically escaping the percent sign itself as %25 in the path is now blocked by default?
Or more precisely will this fully disable percent encoding for urls? Percent-encoding - Wikipedia
Am I correct to assume, that this applies to Traefik’s entrypoint, and thus encoded characters in the path (such as %25) will also be blocked for requests routed to backend applications behind Traefik?
Thanks in advance!
Hello @huebi,
Thank you for reaching out.
We’ve documented the new behavior and the way to skip it in the migration guide.
If you don’t find the information you are looking for in this documentation, please follow up on this topic.
Regards
After sleeping over it, it became clear to me.
Basically, traefik is blocking a few encoded characters in URLs.
I really got confused yesterday by the character column.
So / is valid, encoded slash (%2f or %2F) will be blocked.
For those who use Sonatype Nexus with Traefik >= 3.6.4 and get issues with their npm registry: Setting entryPoints.<name>.http.encodedCharacters.allowEncodedSlash to true will help.
Hey there,
There are some news about this topic in this Github Issue.
We need your opinion to make a decision, so do not hesitate to take a look and leave feedback.
Really not a big fan of this change.
Secure by default should be preferred.
Advanced users of traefik can adjust the configuration as needed.
According to "Semantic Versioning 2.0" (link):
Semantic Versioning 2.0.0
Summary
Given a version number MAJOR.MINOR.PATCH, increment the:
- MAJOR version when you make incompatible API changes
- MINOR version when you add functionality in a backward compatible manner
- PATCH version when you make backward compatible bug fixes
Personally I was really surprised by this breaking change in a minor version. For most of my containers I simply apply PATCH and MINOR upgrades because they should be compatible.
Hello @bluepuma77,
Thank you for your feedback.
I’m speaking on my behalf.
I understand your PoV, but with the maintainers’ team, we have always wanted to be “Security First”.
Which is why we have authorized such a breaking change on a patch version.
After discussion with the community, we’ve finally rolled back the decision, and the new behavior is opt-in, starting with Traefik v3.6.7.
We have an internal discussion to avoid reproducing this kind of issue in the future.
Thanks again for sharing and helping us to make Traefik better.