Description
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Published: 2026-03-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure (environment variables and file contents)
Action: Apply Patch
AI Analysis

Impact

The Caddy vars_regexp matcher performs an unintended double expansion of user-controlled input through the replacer. The likely attack vector is sending a crafted HTTP request header containing placeholders such as {env.DATABASE_URL} or {file./etc/passwd}. When a header such as {http.request.header.X-Input} contains placeholders that reference environment variables or file paths (e.g., {env.DATABASE_URL} or {file./etc/passwd}), the value is resolved twice, leaking the requested data to the attacker. This flaw is categorized as Information Exposure and Improper Handling of Special Characters, allowing sensitive data to be read without authentication or authorization.

Affected Systems

CaddyServer Caddy, versions starting from 2.7.5 up to but not including 2.11.2, are affected. All installations of these versions that use the vars_regexp matcher in any header-based request can be exploited.

Risk and Exploitability

The flaw has a CVSS score of 5.5, reflecting medium severity. EPSS indicates a low probability of exploitation (<1%). It is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability from the network by sending a crafted HTTP request header; no privileged access or local compromise is required. Once triggered, confidential environment variables, file contents, and system information can be exposed to the attacker, potentially leading to credential theft and subsequent attacks.

Generated by OpenCVE AI on April 18, 2026 at 09:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Caddy to version 2.11.2 or newer to apply the vendor patch.
  • Disable or remove the vars_regexp matcher in any configuration that processes untrusted header input, preventing the double-expansion behavior.
  • Implement application or infrastructure monitoring to detect attempts to resolve environment variables or file paths through request headers and alert on suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 09:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2w3-8f23-hxxf Caddy's vars_regexp double-expands user input, leaking env vars and files
History

Wed, 11 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Sat, 07 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Title Caddy: vars_regexp double-expands user input, leaking env vars and files
Weaknesses CWE-200
CWE-74
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:24:55.495Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30852

cve-icon Vulnrichment

Updated: 2026-03-09T18:19:35.549Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T17:15:52.733

Modified: 2026-03-11T13:01:46.030

Link: CVE-2026-30852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses