CVE-2022-29718
Description
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Caddy v2.4 contains an open redirect: an unauthenticated remote attacker can redirect users to arbitrary URLs via crafted links.
Vulnerability
Caddy v2.4 (and possibly earlier versions) contains an open redirect vulnerability. A remote unauthenticated attacker can craft a link that, when clicked by a victim, redirects them to an arbitrary external URL. The issue is present in the HTTP server's request handling, where insufficient validation of redirect targets allows untrusted user-controlled input to be used as the redirect destination. The vulnerability is publicly known and assigned CVE-2022-29718 [1][3].
Exploitation
An attacker does not require authentication or any special privileges. The exploitation vector is social engineering: the attacker sends a crafted link to a victim (e.g., via email, messaging, or a malicious website). The link is constructed in a way that Caddy's server interprets a portion of the URL as the target for a redirect. When the victim clicks the link and Caddy processes the request, the server responds with an HTTP redirect (e.g., HTTP 302) to an arbitrary attacker-controlled domain. The exact mechanism is not fully detailed in public references, but it relies on Caddy's handling of certain URL patterns that fail to sanitize or validate the redirect host [1][3].
Impact
Successful exploitation results in an open redirect, allowing the attacker to redirect users to any external website. The impact is primarily on user trust and phishing scenarios: the victim sees a legitimate Caddy-hosted domain in the initial URL, but after clicking, they land on an attacker-controlled site. This can be used for credential harvesting, malware distribution, or other social engineering attacks. The vulnerability does not directly lead to server compromise, data disclosure, or privilege escalation on the Caddy server itself [1][3].
Mitigation
The vulnerability is fixed in Caddy v2.5.0, released in the same timeframe as the CVE (June 2022). Users should upgrade to Caddy v2.5.0 or later. No workarounds are provided in the available references [1][3]. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/caddyserver/caddyGo | < 2.5.0 | 2.5.0 |
github.com/caddyserver/caddy/v2Go | < 2.5.0 | 2.5.0 |
Affected products
14- Caddy/Caddydescription
- osv-coords13 versionspkg:apk/chainguard/caddypkg:apk/chainguard/caddy-fipspkg:apk/chainguard/caddy-manpkg:apk/chainguard/caddy-srcpkg:apk/chainguard/kubernetes-dns-node-cache-1.17pkg:apk/wolfi/caddypkg:apk/wolfi/caddy-manpkg:apk/wolfi/caddy-srcpkg:golang/github.com/caddyserver/caddypkg:golang/github.com/caddyserver/caddy/v2pkg:rpm/opensuse/caddy&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/caddy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/caddy&distro=SUSE%20Package%20Hub%2015%20SP4
< 0+ 12 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.5.0
- (no CPE)range: < 2.5.0
- (no CPE)range: < 2.5.1-bp154.2.5.1
- (no CPE)range: < 2.5.1-2.1
- (no CPE)range: < 2.5.1-bp154.2.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-2927-hv3p-f3vpghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CP2VIUT5IKA3OKM6YWA5LTLJ2GTEIH7C/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-29718ghsaADVISORY
- github.com/caddyserver/caddy/pull/4499ghsaWEB
- github.com/caddyserver/caddy/pull/4499/commits/b23bdcf99cfbd09d50555a999a16468404789230ghsaWEB
- github.com/caddyserver/caddy/releases/tag/v2.5.0ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP2VIUT5IKA3OKM6YWA5LTLJ2GTEIH7CghsaWEB
News mentions
0No linked articles in our index yet.