Golang/Github.com/Caddyserver/Caddy/V2/Modules/Caddyhttp

Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport

Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because strings.ToLower() can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect SCRIPT_NAME/SCRIPT_FILENAME and PATH_INFO, potentially causing a request that contains .php to execute a different on-disk file than intended (path …

Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (%xx) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.

Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the Host header.

Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections

The path sanitization in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections.

Advisories for Golang/Github.com/Caddyserver/Caddy/V2/Modules/Caddyhttp package