Moderate severityNVD Advisory· Published Feb 6, 2023· Updated Mar 26, 2025

CVE-2022-28923

Description

Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Caddy v2.4.6 contains an open redirect vulnerability that allows attackers to redirect users to malicious sites via crafted %5C%5C and %2e%2e%2f paths.

Caddy v2.4.6 is vulnerable to an open redirect attack due to improper handling of backslash and double dot sequences in the file-server module [3]. The vulnerability was discovered and reported by Mayank Mukhi, confirmed to affect only version v2.4.6 among v2.x releases [3].

An attacker can exploit this by sending a crafted request to a Caddy file-server with a URL path such as /%5C%5Cexample.com/%252e%252e%252f. The server responds with an HTTP 308 redirect to the attacker-controlled domain, allowing redirection to arbitrary external sites [3]. No authentication is required, and the attack can be performed over the network [2].

Successful exploitation enables phishing attacks by directing users to malicious websites that appear legitimate, potentially leading to credential theft or malware distribution [2]. The vulnerability is classified as an open redirect with moderate impact.

The issue was fixed in commit 78b5356f2b1945a90de1ef7f2c7669d82098edbd, and users should upgrade to Caddy v2.5.0 or later to mitigate the risk [3][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/caddyserver/caddy/v2Go	< 2.5.0-beta.1	2.5.0-beta.1

Affected products

Caddy/Caddydescription
osv-coords8 versions
pkg:apk/chainguard/caddy pkg:apk/chainguard/caddy-fips pkg:apk/chainguard/caddy-man pkg:apk/chainguard/caddy-src pkg:apk/wolfi/caddy pkg:apk/wolfi/caddy-man pkg:apk/wolfi/caddy-src pkg:golang/github.com/caddyserver/caddy/v2
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.5.0-beta.1

Patches

78b5356f2b19

fileserver: do not double-escape paths (#4447)

https://github.com/caddyserver/caddyMohammed Al SahafDec 11, 2021via ghsa

commit

2 files changed · +3 −5

modules/caddyhttp/caddyhttp.go+0 −2 modified

@@ -20,7 +20,6 @@ import (
 	"io"
 	"net"
 	"net/http"
-	"net/url"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -228,7 +227,6 @@ func StatusCodeMatches(actual, configured int) bool {
 // never be outside of root. The resulting path can be used
 // with the local file system.
 func SanitizedPathJoin(root, reqPath string) string {
-	reqPath, _ = url.PathUnescape(reqPath)
 	if root == "" {
 		root = "."
 	}

modules/caddyhttp/fileserver/browsetplcontext.go+3 −3 modified

@@ -43,11 +43,9 @@ func (fsrv *FileServer) directoryListing(files []os.FileInfo, canGoUp bool, root
 
 		isDir := f.IsDir() || isSymlinkTargetDir(f, root, urlPath)
 
-		u := url.URL{Path: url.PathEscape(name)}
-
 		// add the slash after the escape of path to avoid escaping the slash as well
 		if isDir {
-			u.Path += "/"
+			name += "/"
 			dirCount++
 		} else {
 			fileCount++
@@ -67,6 +65,8 @@ func (fsrv *FileServer) directoryListing(files []os.FileInfo, canGoUp bool, root
 			// was already set above.
 		}
 
+		u := url.URL{Path: "./" + name} // prepend with "./" to fix paths with ':' in the name
+
 		fileInfos = append(fileInfos, fileInfo{
 			IsDir:     isDir,
 			IsSymlink: fileIsSymlink,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000