Impact
From Caddy version 2.4.0 through 2.11.3, the authorization system and the /config traversal subsystem interpret request paths differently. The authorization layer uses string prefix matching to determine an allowed config object, while the /config traversal layer parses array indices numerically using strconv.Atoi(). Consequently, a path that is authorized for one configuration object can resolve to a different object during traversal, allowing an attacker to read or modify configuration data that should not be accessible. This breach is an input validation flaw (CWE-187), an authorization bypass (CWE-863), and can also be interpreted as a path traversal issue (CWE-551). The vulnerability is fixed in Caddy 2.11.3.
Affected Systems
The affected product is Caddy from the caddyserver organization. All Caddy releases from version 2.4.0 up to 2.11.2 are impacted. Operating systems or deployment methods are not further specified in the advisory.
Risk and Exploitability
The CVSS score of 5.4 and an EPSS score of less than 1% indicate a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. This flaw allows a remote attacker who can send HTTP requests to the /config endpoint to bypass authorization controls, potentially read or modify sensitive configuration data, and traverse configuration paths that should not be accessible. Based on the description, it is inferred that the /config API is normally restricted to trusted networks. The attack requires access to the /config endpoint and exploits the mismatch between the authorization layer and the traversal layer to obtain or alter configuration objects.
OpenCVE Enrichment
Github GHSA