Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
Description
In Caddy, forward_auth copy_headers fails to delete underscore-alias headers, allowing attackers to override FastCGI identity variables via header normalization collision.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Caddy, forward_auth copy_headers fails to delete underscore-alias headers, allowing attackers to override FastCGI identity variables via header normalization collision.
Vulnerability
In Caddy, when using forward_auth with copy_headers and php_fastcgi, the copy_headers directive deletes exact client-supplied header names (e.g., Remote-Groups) before setting trusted values from the auth gateway. However, the FastCGI exporter normalizes HTTP header names by replacing hyphens with underscores, so an attacker can send an underscore variant (e.g., Remote_Groups) that survives deletion but collides with the derived CGI variable (e.g., HTTP_REMOTE_GROUPS). This affects all Caddy versions that support forward_auth and php_fastcgi with these configurations [1][2].
Exploitation
An unauthenticated remote attacker sends an HTTP request to a Caddy server that uses forward_auth copy_headers and php_fastcgi. The attacker includes a header with an underscore alias, such as Remote_Groups: injected_value. The copy_headers directive deletes only the exact hyphenated header (e.g., Remote-Groups), leaving the underscore version untouched. When the request is proxied to a PHP backend via FastCGI, both the legitimate header and the attacker's alias are normalized to the same CGI variable (e.g., HTTP_REMOTE_GROUPS), allowing the attacker to override or inject values [1][2].
Impact
A successful attacker can inject arbitrary values into CGI variables that PHP applications typically trust for authentication or authorization decisions, such as user identity or group membership. This can lead to privilege escalation, unauthorized access, or other security breaches depending on how the backend application uses those variables [1][2].
Mitigation
No official patch has been released for this issue as of the publication date. Users are advised to avoid using php_fastcgi with forward_auth copy_headers when identity headers are critical, or implement custom logic to sanitize underscore-alias headers. The vulnerability is distinct from the previously disclosed GHSA-7r4p-vjf4-gxv4 [1][2].
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 1.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `forward_auth copy_headers` directive deletes only the exact header name (e.g., `Remote-Groups`) but not its underscore alias (`Remote_Groups`), which later collides with the trusted header when FastCGI normalizes hyphens to underscores."
Attack vector
An attacker sends an HTTP request containing a header whose name uses underscores instead of hyphens (e.g., `Remote_Groups` instead of `Remote-Groups`). The `forward_auth copy_headers` directive deletes only the hyphenated form via `http.Header.Del()`, so the underscore variant survives. When Caddy later forwards the request to a PHP/FastCGI backend, the FastCGI normalizer replaces hyphens with underscores, causing both the trusted header and the attacker's alias to map to the same CGI variable (e.g., `HTTP_REMOTE_GROUPS`). This allows the attacker to inject or override identity/group headers trusted by the backend application. [ref_id=1] [ref_id=2]
Affected code
The vulnerability spans `modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go` (lines 212, 222) where `copy_headers` deletes headers via exact field matching, and `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go` (lines 410, 414, 510) where FastCGI normalizes hyphens to underscores. The exact deletion is performed through `http.Header.Del()` in `modules/caddyhttp/headers/headers.go` (lines 255, 281).
What the fix does
The advisory does not include a published patch. The recommended fix would need to ensure that when `forward_auth copy_headers` deletes client-supplied headers, it also deletes any underscore-variant aliases that would collide with the trusted header after FastCGI normalization. Alternatively, the FastCGI normalizer could be hardened to reject or sanitize headers containing underscores. Until a fix is released, deployments should avoid relying on `copy_headers` for security-critical headers when `php_fastcgi` is in use. [ref_id=1] [ref_id=2]
Preconditions
- configCaddy must be configured with both `forward_auth` using `copy_headers` and `php_fastcgi` (or FastCGI) after the auth check.
- configThe backend PHP/FastCGI application must trust the resulting `HTTP_*` CGI variables for authentication or authorization decisions.
- networkThe attacker must be able to send arbitrary HTTP headers to the Caddy server.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.