Source: caddy Version: 2.11.2-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for caddy. CVE-2026-45135[0]: | Caddy is an extensible server platform that uses TLS by default. | From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in | modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses | golang.org/x/text/search with search.IgnoreCase when the request | path contains a non-ASCII byte. Two distinct flaws in that fallback | let an attacker mislead Caddy's FastCGI splitting into treating a | non-.php (or other configured split_path extension) file as a | script. In any deployment where the attacker can place content into | a file served via FastCGI (uploads, file storage, etc.), this can be | escalated to remote code execution by crafting a URL whose path | triggers either flaw. This vulnerability is fixed in 2.11.3. CVE-2026-45692[1]: | Caddy is an extensible server platform that uses TLS by default. | From 2.4.0 until 2.11.3, the authorization layer and the /config | traversal layer do not agree on what object the path refers to. In | this case, a path authorized for one config object is accepted, but | then resolves to a different config object during traversal. This | happens because the authorization layer uses string prefix matching | and the /config traversal layer parses array indices numerically | using strconv.Atoi(). This vulnerability is fixed in 2.11.3. CVE-2026-52844[2]: | Caddy is an extensible server platform that uses TLS by default. | Prior to 2.11.4, on Windows, Caddy path matchers treat | /private\secret.txt as outside /private/*, but file_server later | resolves the same request path as private\secret.txt on disk. An | unauthenticated remote client can bypass Caddy path-scoped auth/deny | routes protecting /private/*. This vulnerability is fixed in 2.11.4. CVE-2026-52845[3]: | Caddy is an extensible server platform that uses TLS by default. | Prior to 2.11.4, forward_auth copy_headers deletes the exact client- | supplied identity header before copying the trusted value from the | auth gateway. But when the request later goes through php_fastcgi, | Caddy normalizes HTTP headers into CGI variables by replacing - with | _. This lets a client send an underscore alias that survives the | forward_auth delete step but becomes the same PHP/FastCGI variable. | Result: a remote client can inject or sometimes override | identity/group headers trusted by PHP/FastCGI applications behind | Caddy. This vulnerability is fixed in 2.11.4. CVE-2026-52846[4]: | Caddy is an extensible server platform that uses TLS by default. | Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably | remove all HTML tags from input strings. Certain malformed HTML, | such as <<>img src=x onerror=alert()>, can bypass the tag-stripping | logic, potentially leaving dangerous content in the output if it is | later rendered as HTML. This may allow client-side XSS in cases | where untrusted strings are rendered unsafely. This vulnerability is | fixed in 2.11.4. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45135 https://www.cve.org/CVERecord?id=CVE-2026-45135 https://github.com/caddyserver/caddy/security/advisories/GHSA-m675-2p33-xv9g [1] https://security-tracker.debian.org/tracker/CVE-2026-45692 https://www.cve.org/CVERecord?id=CVE-2026-45692 https://github.com/caddyserver/caddy/security/advisories/GHSA-x5w9-xh9r-mvfc [2] https://security-tracker.debian.org/tracker/CVE-2026-52844 https://www.cve.org/CVERecord?id=CVE-2026-52844 https://github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6 [3] https://security-tracker.debian.org/tracker/CVE-2026-52845 https://www.cve.org/CVERecord?id=CVE-2026-52845 https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g [4] https://security-tracker.debian.org/tracker/CVE-2026-52846 https://www.cve.org/CVERecord?id=CVE-2026-52846 https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v Regards, Salvatore
