MidnightBSD

Advisories for caddyserver

CVE-2018-19148 MEDIUM

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren't meant to be public, though this information could likely have been discovered via other methods with additional effort.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2018-21246 HIGH

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2022-28923

Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
caddyserver caddy 2.4.6
CVE-2022-29718 MEDIUM

Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2022-34037

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrator's bad configuration containing a malformed request URI caused the server to return an empty reply instead of a valid HTTP response to the client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
caddyserver caddy 2.5.1
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat advanced_cluster_management_for_kubernetes 2.0
redhat logging_subsystem_for_red_hat_openshift -
projectcontour contour *
netapp astra_control_center -
envoyproxy envoy 1.25.9
debian debian_linux 10.0
grpc grpc *
microsoft windows_server_2022 -
redhat openstack_platform 16.1
cisco ultra_cloud_core_-_serving_gateway_function *
cisco nx-os *
f5 big-ip_carrier-grade_nat 17.1.0
konghq kong_gateway *
cisco connected_mobile_experiences *
f5 big-ip_advanced_firewall_manager 17.1.0
cisco crosswork_situation_manager -
redhat openshift_service_mesh 2.0
microsoft windows_10_21h2 *
redhat enterprise_linux 8.0
golang networking *
linkerd linkerd 2.13.1
cisco prime_cable_provisioning *
cisco data_center_network_manager -
redhat self_node_remediation_operator -
redhat openshift_developer_tools_and_services -
cisco prime_network_registrar *
redhat openshift -
cisco prime_infrastructure *
redhat openshift_distributed_tracing -
redhat openstack_platform 16.2
apache traffic_server *
f5 big-ip_ddos_hybrid_defender *
f5 big-ip_policy_enforcement_manager *
redhat openshift_sandboxed_containers -
f5 big-ip_ssl_orchestrator 17.1.0
redhat decision_manager 7.0
f5 big-ip_policy_enforcement_manager 17.1.0
f5 big-ip_advanced_firewall_manager *
ietf http 2.0
f5 big-ip_link_controller *
cisco crosswork_data_gateway *
redhat openshift_secondary_scheduler_operator -
redhat cryostat 2.0
redhat cost_management -
dena h2o *
f5 nginx_plus r30
f5 big-ip_webaccelerator 17.1.0
linkerd linkerd *
f5 big-ip_analytics *
cisco ios_xr *
apache apisix *
cisco unified_contact_center_management_portal -
microsoft windows_10_1809 *
grpc grpc 1.57.0
fedoraproject fedora 37
f5 big-ip_ddos_hybrid_defender 17.1.0
f5 big-ip_advanced_web_application_firewall 17.1.0
redhat single_sign-on 7.0
cisco ios_xe *
redhat integration_camel_k -
redhat openshift_container_platform 4.0
redhat openstack_platform 17.1
cisco unified_contact_center_domain_manager -
redhat web_terminal -
redhat jboss_fuse 7.0.0
redhat jboss_a-mq 7
f5 big-ip_access_policy_manager *
redhat jboss_data_grid 7.0.0
traefik traefik *
redhat openshift_virtualization 4
microsoft windows_server_2016 -
redhat 3scale_api_management_platform 2.0
cisco unified_contact_center_enterprise -
envoyproxy envoy 1.24.10
redhat migration_toolkit_for_containers -
f5 big-ip_advanced_web_application_firewall *
f5 big-ip_access_policy_manager 17.1.0
redhat enterprise_linux 6.0
redhat ansible_automation_platform 2.0
redhat jboss_a-mq_streams -
redhat openshift_container_platform_assisted_installer -
microsoft windows_server_2019 -
redhat fence_agents_remediation_operator -
redhat openshift_pipelines -
f5 big-ip_local_traffic_manager *
akka http_server *
facebook proxygen *
linecorp armeria *
kazu-yamamoto http2 *
f5 big-ip_analytics 17.1.0
f5 big-ip_local_traffic_manager 17.1.0
envoyproxy envoy 1.27.0
cisco unified_contact_center_enterprise_-_live_data_server *
microsoft asp.net_core *
redhat jboss_enterprise_application_platform 7.0.0
f5 nginx_plus r29
cisco unified_attendant_console_advanced -
f5 big-ip_ssl_orchestrator *
redhat openshift_gitops -
cisco ultra_cloud_core_-_policy_control_function *
redhat process_automation 7.0
f5 big-ip_application_visibility_and_reporting *
apache tomcat 11.0.0
f5 big-ip_websafe *
redhat openshift_api_for_data_protection -
cisco fog_director *
f5 big-ip_application_visibility_and_reporting 17.1.0
f5 nginx_plus *
cisco telepresence_video_communication_server *
microsoft azure_kubernetes_service *
redhat migration_toolkit_for_applications 6.0
redhat advanced_cluster_security 4.0
apache solr *
apple swiftnio_http/2 *
redhat run_once_duration_override_operator -
redhat quay 3.0.0
f5 big-ip_link_controller 17.1.0
linkerd linkerd 2.13.0
cisco iot_field_network_director *
fedoraproject fedora 38
f5 big-ip_domain_name_system 17.1.0
redhat node_healthcheck_operator -
cisco expressway *
envoyproxy envoy 1.26.4
redhat integration_camel_for_spring_boot -
redhat jboss_fuse 6.0.0
cisco prime_access_registrar *
redhat enterprise_linux 9.0
linkerd linkerd 2.14.0
cisco crosswork_zero_touch_provisioning *
golang go *
redhat node_maintenance_operator -
microsoft windows_10_22h2 *
cisco ultra_cloud_core_-_session_management_function *
f5 big-ip_carrier-grade_nat *
redhat build_of_quarkus -
redhat network_observability_operator -
redhat satellite 6.0
redhat jboss_enterprise_application_platform 6.0.0
f5 big-ip_fraud_protection_service 17.1.0
redhat cert-manager_operator_for_red_hat_openshift -
redhat migration_toolkit_for_virtualization -
redhat service_telemetry_framework 1.5
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
f5 big-ip_next 20.0.1
nodejs node.js *
cisco secure_web_appliance_firmware *
redhat build_of_optaplanner 8.0
redhat advanced_cluster_security 3.0
cisco secure_dynamic_attributes_connector *
f5 nginx *
microsoft cbl-mariner *
microsoft windows_10_1607 *
jenkins jenkins *
istio istio *
netty netty *
golang http2 *
linkerd linkerd 2.14.1
cisco business_process_automation *
redhat certification_for_red_hat_enterprise_linux 9.0
varnish_cache_project varnish_cache *
openresty openresty *
f5 big-ip_application_security_manager *
redhat support_for_spring_boot -
redhat integration_service_registry -
caddyserver caddy *
f5 big-ip_global_traffic_manager *
cisco enterprise_chat_and_email -
microsoft windows_11_22h2 *
eclipse jetty *
traefik traefik 3.0.0
cisco secure_malware_analytics *
f5 big-ip_next_service_proxy_for_kubernetes *
redhat machine_deletion_remediation_operator -
apache tomcat *
f5 big-ip_fraud_protection_service *
microsoft .net *
f5 big-ip_application_acceleration_manager 17.1.0
f5 big-ip_domain_name_system *
microsoft windows_11_21h2 *
f5 big-ip_application_acceleration_manager *
redhat ceph_storage 5.0
microsoft visual_studio_2022 *
debian debian_linux 12.0
f5 big-ip_webaccelerator *
f5 big-ip_websafe 17.1.0
debian debian_linux 11.0
cisco firepower_threat_defense *
nghttp2 nghttp2 *
f5 big-ip_application_security_manager 17.1.0
cisco crosswork_data_gateway 5.0
redhat service_interconnect 1.0
f5 nginx_ingress_controller *
f5 big-ip_global_traffic_manager 17.1.0
redhat openshift_serverless -
netapp oncommand_insight -
redhat jboss_core_services -
redhat openshift_data_science -
amazon opensearch_data_prepper *
redhat certification_for_red_hat_enterprise_linux 8.0
redhat openshift_dev_spaces -
CVE-2023-50463

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2026-27585

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2026-27586

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2026-27587

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2026-27588

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2026-27589

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.

Products Affected

Vendor Product Version
caddyserver caddy *
CVE-2026-27590

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.

Products Affected

Vendor Product Version
caddyserver caddy *