Description
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
Remediation
References
Related Vulnerabilities
SharePoint CVE-2023-28288 Vulnerability (CVE-2023-28288)
axios Origin Validation Error Vulnerability (CVE-2024-57965)
WordPress Plugin Arigato Autoresponder and Newsletter Cross-Site Scripting (2.3.1)
Liferay Portal Unchecked Input for Loop Condition Vulnerability (CVE-2025-43801)
RubyGems Improper Input Validation Vulnerability (CVE-2015-4020)