Caddy: vars_regexp double-expands user input, leaking env vars and files
Description
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/caddyserver/caddy/v2/modules/caddyhttpGo | >= 2.7.5, < 2.11.2 | 2.11.2 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/caddyserver/caddy/v2/modules/caddyhttppkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 2.7.5, < 2.11.2+ 1 more
- (no CPE)range: >= 2.7.5, < 2.11.2
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
- Range: >= 2.7.5, < 2.11.2
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-m2w3-8f23-hxxfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30852ghsaADVISORY
- github.com/caddyserver/caddy/pull/5408ghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/releases/tag/v2.11.2ghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.