GO-2026-4644

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2026-4644
Import Source
https://vuln.go.dev/ID/GO-2026-4644.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2026-4644
Aliases
Published
2026-03-10T18:28:25Z
Modified
2026-03-23T04:52:47.870034Z
Summary
Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy
Details

Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy

Database specific 
{
    "url": "https://pkg.go.dev/vuln/GO-2026-4644",
    "review_status": "REVIEWED"
}
References

Affected packages

Go / github.com/caddyserver/caddy/v2

Package

Name
github.com/caddyserver/caddy/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/caddyserver/caddy/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.7.5
Fixed
2.11.2

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/caddyserver/caddy/v2/modules/caddyhttp",
            "symbols": [
                "App.Cleanup",
                "App.Provision",
                "App.Start",
                "App.Stop",
                "App.Validate",
                "CELMatcherImpl",
                "CELValueToMapStrList",
                "CIDRExpressionToPrefix",
                "Error",
                "HandlerError.Error",
                "HandlerFunc.ServeHTTP",
                "Invoke.ServeHTTP",
                "LoggableHTTPHeader.MarshalLogObject",
                "LoggableHTTPRequest.MarshalLogObject",
                "LoggableTLSConnState.MarshalLogObject",
                "MatchClientIP.CELLibrary",
                "MatchClientIP.Match",
                "MatchClientIP.MatchWithError",
                "MatchClientIP.Provision",
                "MatchClientIP.UnmarshalCaddyfile",
                "MatchExpression.MarshalJSON",
                "MatchExpression.Match",
                "MatchExpression.MatchWithError",
                "MatchExpression.Provision",
                "MatchExpression.UnmarshalCaddyfile",
                "MatchExpression.UnmarshalJSON",
                "MatchHeader.CELLibrary",
                "MatchHeader.Match",
                "MatchHeader.MatchWithError",
                "MatchHeader.UnmarshalCaddyfile",
                "MatchHeaderRE.CELLibrary",
                "MatchHeaderRE.Match",
                "MatchHeaderRE.MatchWithError",
                "MatchHeaderRE.Provision",
                "MatchHeaderRE.UnmarshalCaddyfile",
                "MatchHeaderRE.Validate",
                "MatchHost.CELLibrary",
                "MatchHost.Match",
                "MatchHost.MatchWithError",
                "MatchHost.Provision",
                "MatchHost.UnmarshalCaddyfile",
                "MatchMethod.CELLibrary",
                "MatchMethod.UnmarshalCaddyfile",
                "MatchNot.MarshalJSON",
                "MatchNot.Match",
                "MatchNot.MatchWithError",
                "MatchNot.Provision",
                "MatchNot.UnmarshalCaddyfile",
                "MatchNot.UnmarshalJSON",
                "MatchPath.CELLibrary",
                "MatchPath.Match",
                "MatchPath.MatchWithError",
                "MatchPath.UnmarshalCaddyfile",
                "MatchPathRE.CELLibrary",
                "MatchPathRE.Match",
                "MatchPathRE.MatchWithError",
                "MatchProtocol.CELLibrary",
                "MatchProtocol.Match",
                "MatchProtocol.MatchWithError",
                "MatchProtocol.UnmarshalCaddyfile",
                "MatchQuery.CELLibrary",
                "MatchQuery.Match",
                "MatchQuery.MatchWithError",
                "MatchQuery.UnmarshalCaddyfile",
                "MatchRegexp.Match",
                "MatchRegexp.Provision",
                "MatchRegexp.UnmarshalCaddyfile",
                "MatchRegexp.Validate",
                "MatchRemoteIP.CELLibrary",
                "MatchRemoteIP.Match",
                "MatchRemoteIP.MatchWithError",
                "MatchRemoteIP.Provision",
                "MatchRemoteIP.UnmarshalCaddyfile",
                "MatchTLS.UnmarshalCaddyfile",
                "MatchVarsRE.CELLibrary",
                "MatchVarsRE.Match",
                "MatchVarsRE.MatchWithError",
                "MatchVarsRE.Provision",
                "MatchVarsRE.UnmarshalCaddyfile",
                "MatchVarsRE.Validate",
                "MatcherSet.Match",
                "MatcherSet.MatchWithError",
                "MatcherSets.AnyMatch",
                "MatcherSets.AnyMatchWithError",
                "MatcherSets.FromInterface",
                "MatcherSets.String",
                "ParseCaddyfileNestedMatcherSet",
                "ParseNamedResponseMatcher",
                "PrepareRequest",
                "ResponseHandler.Provision",
                "ResponseMatcher.Match",
                "ResponseWriterWrapper.Push",
                "ResponseWriterWrapper.ReadFrom",
                "Route.Provision",
                "Route.ProvisionHandlers",
                "Route.ProvisionMatchers",
                "Route.String",
                "RouteList.Provision",
                "RouteList.ProvisionHandlers",
                "RouteList.ProvisionMatchers",
                "Server.ServeHTTP",
                "StaticError.ServeHTTP",
                "StaticError.UnmarshalCaddyfile",
                "StaticIPRange.Provision",
                "StaticResponse.ServeHTTP",
                "StaticResponse.UnmarshalCaddyfile",
                "StringArray.UnmarshalJSON",
                "Subroute.Provision",
                "Subroute.ServeHTTP",
                "VarsMatcher.CELLibrary",
                "VarsMatcher.Match",
                "VarsMatcher.MatchWithError",
                "VarsMatcher.UnmarshalCaddyfile",
                "VarsMiddleware.ServeHTTP",
                "VarsMiddleware.UnmarshalCaddyfile",
                "WeakString.MarshalJSON",
                "WeakString.UnmarshalJSON",
                "celHTTPRequest.Equal",
                "celPkixName.ConvertToType",
                "celPkixName.Equal",
                "celTypeAdapter.NativeToValue",
                "extraFieldsSlogHandler.Handle",
                "extraFieldsSlogHandler.WithAttrs",
                "hijackedConn.Read",
                "hijackedConn.ReadFrom",
                "hijackedConn.Write",
                "hijackedConn.WriteTo",
                "http2Conn.Read",
                "http2Listener.Accept",
                "httpRedirectConn.Read",
                "httpRedirectListener.Accept",
                "lengthReader.Close",
                "lengthReader.Read",
                "metricsInstrumentedHandler.ServeHTTP",
                "requestID.String",
                "responseRecorder.FlushError",
                "responseRecorder.Hijack",
                "responseRecorder.ReadFrom",
                "responseRecorder.Write",
                "responseRecorder.WriteHeader",
                "responseRecorder.WriteResponse"
            ]
        }
    ]
}

Database specific

source 
"https://vuln.go.dev/ID/GO-2026-4644.json"