Caddy: vars_regexp double-expands user input, leaking env vars and files
Description
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/caddyserver/caddy/v2/modules/caddyhttpGo | >= 2.7.5, < 2.11.2 | 2.11.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-m2w3-8f23-hxxfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30852ghsaADVISORY
- github.com/caddyserver/caddy/pull/5408ghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/releases/tag/v2.11.2ghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.