AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-m2w3-8f23-hxxf: Caddy's vars_regexp double-expands user input, leaking env vars and files

mediumvulnerability

security

Source: GitHub Advisory DatabaseMarch 6, 2026CVE-2026-30852

Summary

Caddy's `vars_regexp` matcher has a double-expansion bug where user input in request headers gets processed twice through the replacer (the system that substitutes placeholders like {env.DATABASE_URL}), allowing attackers to leak environment variables and file contents by crafting malicious headers. Other matchers like `header_regexp` don't have this problem because they only process the header value once.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Affected Packages

github.com/caddyserver/caddy/v2/modules/caddyhttp@>= 2.7.5, <= 2.11.1 (fixed: 2.11.2)

Original source: https://github.com/advisories/GHSA-m2w3-8f23-hxxf

First tracked: March 6, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 95%