Fluid Attacks Database

Description

Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/caddyserver/caddy/v2/modules/caddyhttp	>=2.7.5 <2.11.2	2.11.2
go	github.com/caddyserver/caddy/v2	>=2.7.5 <2.11.2	2.11.2

Aliases

1. CVE-2026-308522. NVD-2026-308523. OSV-2026-308524. OSV-GO-2026-46445. GHSA-m2w3-8f23-hxxf6. GCVE-2026-308527. GHSA-m2w3-8f23-hxxf

References

1. https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf2. https://github.com/caddyserver/caddy/pull/54083. https://github.com/caddyserver/caddy/releases/tag/v2.11.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.