Caddy HTTP Host Matcher Case Sensitivity Vulnerability Allowing Route Bypass

A vulnerability exists in Caddy's HTTP host request matcher, which is intended to be case-insensitive. However, in versions prior to 2.11.1, when the host list exceeds 100 entries, the matcher becomes case-sensitive. This change allows attackers to bypass host-based routing and associated access controls by altering the casing of the Host header. The issue is present in Caddy version 2.10.2.

Impact

Exploiting this vulnerability can lead to unauthorized access to routes and resources that are supposed to be protected, effectively bypassing any access controls that rely on host-based routing.

Reproduction

The vulnerability can be reproduced by configuring Caddy with a host list of more than 100 entries. When a request is sent with the Host header modified to change the case, the request may bypass the intended routing and access controls. This can be automated with a script that uses curl to send requests to the Caddy server.

Remediation

Users can upgrade to Caddy version 2.11.1 or later, where this vulnerability has been fixed.