Advisories for Golang/Github.com/Caddyserver/Caddy/V2/Modules/Caddyhttp/Reverseproxy package

2026

Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

Caddy's forward_auth directive with copy_headers generates conditional header-set operations that only fire when the upstream auth service includes the named header in its response. No delete or remove operation is generated for the original client-supplied request header with the same name. When an auth service returns 200 OK without one of the configured copy_headers headers, the client-supplied header passes through unchanged to the backend. Any requester holding a valid authentication …

Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport

Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because strings.ToLower() can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect SCRIPT_NAME/SCRIPT_FILENAME and PATH_INFO, potentially causing a request that contains .php to execute a different on-disk file than intended (path …