Vulnerability Report: GO-2026-4644
- CVE-2026-30852, GHSA-m2w3-8f23-hxxf
- Affects: github.com/caddyserver/caddy/v2
- Published: Mar 10, 2026
Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy
For detailed information about this vulnerability, visit https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf.
Affected Packages
-
PathVersionsSymbols
-
from v2.7.5 before v2.11.2
117 affected symbols
- App.Cleanup
- App.Provision
- App.Start
- App.Stop
- App.Validate
- CELMatcherImpl
- CELValueToMapStrList
- CIDRExpressionToPrefix
- Error
- HandlerError.Error
- HandlerFunc.ServeHTTP
- Invoke.ServeHTTP
- LoggableHTTPHeader.MarshalLogObject
- LoggableHTTPRequest.MarshalLogObject
- LoggableTLSConnState.MarshalLogObject
- MatchClientIP.CELLibrary
- MatchClientIP.Match
- MatchClientIP.MatchWithError
- MatchClientIP.Provision
- MatchClientIP.UnmarshalCaddyfile
- MatchExpression.MarshalJSON
- MatchExpression.Match
- MatchExpression.MatchWithError
- MatchExpression.Provision
- MatchExpression.UnmarshalCaddyfile
- MatchExpression.UnmarshalJSON
- MatchHeader.CELLibrary
- MatchHeader.Match
- MatchHeader.MatchWithError
- MatchHeader.UnmarshalCaddyfile
- MatchHeaderRE.CELLibrary
- MatchHeaderRE.Match
- MatchHeaderRE.MatchWithError
- MatchHeaderRE.Provision
- MatchHeaderRE.UnmarshalCaddyfile
- MatchHeaderRE.Validate
- MatchHost.CELLibrary
- MatchHost.Match
- MatchHost.MatchWithError
- MatchHost.Provision
- MatchHost.UnmarshalCaddyfile
- MatchMethod.CELLibrary
- MatchMethod.UnmarshalCaddyfile
- MatchNot.MarshalJSON
- MatchNot.Match
- MatchNot.MatchWithError
- MatchNot.Provision
- MatchNot.UnmarshalCaddyfile
- MatchNot.UnmarshalJSON
- MatchPath.CELLibrary
- MatchPath.Match
- MatchPath.MatchWithError
- MatchPath.UnmarshalCaddyfile
- MatchPathRE.CELLibrary
- MatchPathRE.Match
- MatchPathRE.MatchWithError
- MatchProtocol.CELLibrary
- MatchProtocol.Match
- MatchProtocol.MatchWithError
- MatchProtocol.UnmarshalCaddyfile
- MatchQuery.CELLibrary
- MatchQuery.Match
- MatchQuery.MatchWithError
- MatchQuery.UnmarshalCaddyfile
- MatchRegexp.Match
- MatchRegexp.Provision
- MatchRegexp.UnmarshalCaddyfile
- MatchRegexp.Validate
- MatchRemoteIP.CELLibrary
- MatchRemoteIP.Match
- MatchRemoteIP.MatchWithError
- MatchRemoteIP.Provision
- MatchRemoteIP.UnmarshalCaddyfile
- MatchTLS.UnmarshalCaddyfile
- MatchVarsRE.CELLibrary
- MatchVarsRE.Match
- MatchVarsRE.MatchWithError
- MatchVarsRE.Provision
- MatchVarsRE.UnmarshalCaddyfile
- MatchVarsRE.Validate
- MatcherSet.Match
- MatcherSet.MatchWithError
- MatcherSets.AnyMatch
- MatcherSets.AnyMatchWithError
- MatcherSets.FromInterface
- MatcherSets.String
- ParseCaddyfileNestedMatcherSet
- ParseNamedResponseMatcher
- PrepareRequest
- ResponseHandler.Provision
- ResponseMatcher.Match
- ResponseWriterWrapper.Push
- ResponseWriterWrapper.ReadFrom
- Route.Provision
- Route.ProvisionHandlers
- Route.ProvisionMatchers
- Route.String
- RouteList.Provision
- RouteList.ProvisionHandlers
- RouteList.ProvisionMatchers
- Server.ServeHTTP
- StaticError.ServeHTTP
- StaticError.UnmarshalCaddyfile
- StaticIPRange.Provision
- StaticResponse.ServeHTTP
- StaticResponse.UnmarshalCaddyfile
- StringArray.UnmarshalJSON
- Subroute.Provision
- Subroute.ServeHTTP
- VarsMatcher.CELLibrary
- VarsMatcher.Match
- VarsMatcher.MatchWithError
- VarsMatcher.UnmarshalCaddyfile
- VarsMiddleware.ServeHTTP
- VarsMiddleware.UnmarshalCaddyfile
- WeakString.MarshalJSON
- WeakString.UnmarshalJSON
Aliases
References
- https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf
- https://github.com/caddyserver/caddy/pull/5408
- https://github.com/caddyserver/caddy/releases/tag/v2.11.2
- https://vuln.go.dev/ID/GO-2026-4644.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.