Caddy Double Expansion Vulnerability in vars_regexp Matcher Allows Information Disclosure

A vulnerability exists in Caddy versions 2.7.5 prior to 2.11.2, where the vars_regexp matcher in vars.go:337 improperly double-expands user-controlled input. This occurs when the matcher processes placeholders like {http.request.header.X-Input}, leading to the unintentional evaluation of environment variables, file contents, and system information. The issue arises because vars_regexp matches user input and then passes the resolved values through a replacement function again, creating a potential leak. In contrast, the header_regexp matcher does not exhibit this behavior, highlighting an inconsistency in how these matchers handle input.

Impact

Exploitation of this vulnerability allows for the leakage of environment variables, file contents (up to 1MB), and system information.

Reproduction

To reproduce this vulnerability, upload a file containing a secret to a server running an affected version of Caddy. Then, send a request to the server with a header that includes a placeholder for an environment variable or file. The server will double-expand the placeholder, leading to the unintentional disclosure of the variable or file content.

Remediation

Users can upgrade to Caddy version 2.11.2 or later to address this vulnerability.