DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30852: CVE-2026-30852: Double-Expansion Information Disclosure in Caddy vars_regexp

#security #cve #cybersecurity

CVE-2026-30852: Double-Expansion Information Disclosure in Caddy vars_regexp

Vulnerability ID: CVE-2026-30852
CVSS Score: 5.5
Published: 2026-03-06

CVE-2026-30852 is a moderate-severity information disclosure vulnerability in the Caddy web server. The flaw originates in the vars_regexp matcher within the caddyhttp module, where improper neutralization of special elements leads to a double-expansion of placeholders. Attackers can exploit this behavior by crafting specific HTTP request headers that, when evaluated by the vulnerable matcher, expose sensitive environment variables, local file contents, and system information.

TL;DR

A double-expansion vulnerability in Caddy's vars_regexp matcher allows unauthenticated remote attackers to leak sensitive server-side data, including environment variables and local files, by injecting Caddy placeholders into HTTP request headers.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-74, CWE-200
  • Attack Vector: Network
  • CVSS v4.0: 5.5 (Medium)
  • EPSS Score: 0.00045
  • Impact: Information Disclosure
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Caddy Web Server v2.7.5 through v2.11.1
  • Caddy: >= 2.7.5, < 2.11.2 (Fixed in: 2.11.2)

Mitigation Strategies

  • Upgrade Caddy server to version 2.11.2 or higher.
  • Review Caddy configuration and eliminate vars_regexp usage on user-controllable input.
  • Deploy WAF rules to block Caddy placeholder syntax in external requests.

Remediation Steps:

  1. Identify all running instances of Caddy server within the infrastructure.
  2. Determine the installed version via the caddy version command.
  3. If the version is between v2.7.5 and v2.11.1 inclusive, schedule an immediate maintenance window.
  4. Download the v2.11.2 release from the official Caddy repository.
  5. Replace the vulnerable binary, verify configuration compatibility, and restart the Caddy service.
  6. Implement monitoring for blocked placeholder syntax to detect targeted exploitation attempts.

References

Read the full report for CVE-2026-30852 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)