Caddy Cross-Origin Configuration Injection Vulnerability via Local Admin API

A vulnerability exists in Caddy's local admin API, specifically in versions prior to 2.11.1. The issue arises from the `POST /load` endpoint, which allows cross-origin requests to replace the entire running configuration. When origin enforcement is disabled, an attacker can manipulate the admin settings and HTTP server behavior without the user's knowledge. This vulnerability requires the victim to be running Caddy with the admin API enabled and to visit an attacker-controlled webpage.

Impact

Exploitation of this vulnerability allows an attacker to arbitrarily modify the Caddy configuration, potentially changing admin listener settings or altering HTTP server responses and routing.

Reproduction

The vulnerability can be reproduced by sending a cross-origin `POST` request to the `/load` endpoint of the local Caddy admin API, while origin enforcement is disabled. This can be done from an attacker-controlled webpage, taking advantage of the API's default cross-origin request acceptance.

Remediation

Users are advised to update to Caddy version 2.11.1 or later. Additionally, ensure that origin enforcement is enabled for the admin API to prevent unauthorized cross-origin requests.