Caddy
Monthly
Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows remote attackers to perform double variable expansion on user-controlled input, enabling disclosure of environment variables and file contents. By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.
Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.
Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-based security controls through specially crafted requests. The vulnerability affects systems with specific Caddy configurations and has public exploit code available. Exploitation requires network access with no authentication, resulting in limited information disclosure or modification of restricted resources.
Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows remote attackers to perform double variable expansion on user-controlled input, enabling disclosure of environment variables and file contents. By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.
Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.
Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-based security controls through specially crafted requests. The vulnerability affects systems with specific Caddy configurations and has public exploit code available. Exploitation requires network access with no authentication, resulting in limited information disclosure or modification of restricted resources.