Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport
Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because strings.ToLower() can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect SCRIPT_NAME/SCRIPT_FILENAME and PATH_INFO, potentially causing a request that contains .php to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/caddyserver/caddy/v2Go | < 2.11.1 | 2.11.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-5r3v-vc8m-m96gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27590ghsaADVISORY
- github.com/caddyserver/caddy/releases/tag/v2.11.1ghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96gghsax_refsource_CONFIRMWEB
- github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38ghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2026-4536ghsaWEB
News mentions
0No linked articles in our index yet.