Caddy is an extensible server platform that uses TLS by default. From version 2.7.0 until 2.11.3 the FastCGI transport’s splitPos() misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non‑ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy’s FastCGI splitting into treating a non‑.php file (or other configured split_path extension) as a script. In deployments where the attacker can place content into a file served via FastCGI, such as uploads or file storage, a crafted URL that triggers either flaw can result in remote code execution. The vulnerability is fixed in 2.11.3, and the CVSS base score of 8.1 reflects its severity.

The vulnerability affects the Caddy Server (caddyserver:caddy) in all releases from version 2.7.0 up to and including version 2.11.2, which are known to contain the flawed splitPos implementation. Versions 2.11.3 and later include the fix and are no longer impacted.

An attacker who can upload or place arbitrary content into a path served via FastCGI—such as through a file‑upload feature or storage endpoint—can construct a URL containing a non‑ASCII byte. The malformed path causes the server to drop the file extension and execute it as a FastCGI script, giving the attacker remote command execution. The vulnerability lacks an EPSS entry, indicating the available data does not quantify exploitation probability at present, and it is not listed in the CISA KEV catalog. Nonetheless, the CVSS score of 8.1 and the feasibility of exploitation through ordinary HTTP requests render the risk high and the attack vector likely remote via the web front end.