Caddy HTTP Path Matcher Case-Insensitive Routing Bypass Vulnerability

A path-based routing and access control bypass vulnerability has been identified in Caddy versions prior to 2.11.1. The issue arises in the HTTP 'path' request matcher, which is supposed to be case-insensitive. However, when the match pattern includes percent-escape sequences, it compares the request's escaped path without converting it to lowercase. This oversight allows attackers to manipulate the casing of the request path, bypassing routing and access controls. The vulnerability is present in Caddy's HTTP module, specifically in version 2.10.2.

Impact

Exploiting this vulnerability can lead to unauthorized access to sensitive endpoints by bypassing path-based routing and access controls. This is particularly concerning for routes that use percent-encoded patterns to protect sensitive areas, as the vulnerability allows encoded-path variants to be accessed without proper authorization.

Reproduction

The vulnerability can be reproduced by sending a request to a Caddy server running version 2.10.2 with a path matcher that includes percent-escape sequences. Change the casing of the request path to exploit the bypass. This can be done using a tool like curl or through a web application that interacts with the Caddy server.

Remediation

Users can upgrade to Caddy version 2.11.1, which addresses this vulnerability by ensuring that the matching process for percent-escaped paths is properly normalized to be case-insensitive.