Caddy Forward Authentication Identity Injection and Privilege Escalation Vulnerability

A vulnerability in Caddy's forward authentication feature allows for identity injection and privilege escalation. This issue is present in Caddy versions 2.10.0 prior to 2.11.2. The vulnerability arises because the 'copy_headers' option in the forward_auth directive does not remove client-supplied headers when the authentication backend fails to provide them. As a result, an attacker can inject arbitrary values into trusted identity headers, which the backend may accept as legitimate.

Impact

Exploitation of this vulnerability allows an attacker to inject values into identity headers that are then sent to the backend server. This can lead to unauthorized access or privileges, such as gaining admin rights, depending on the injected values and the application's role management.

Reproduction

To reproduce this vulnerability, configure Caddy to use the forward_auth directive with copy_headers for identity headers. When the auth service does not return these headers, Caddy will pass through the original client-supplied values unchanged. This can be tested by sending a request with a valid authentication token and forged identity headers. The backend will receive the injected values, demonstrating the vulnerability.

Remediation

Users can update to Caddy version 2.11.2 or later, where this vulnerability has been patched.