NIXPKGS-2026-0255

GitHub issue published on 15 Feb 2026

Permalink CVE-2026-24853

updated 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks ago
@LeSuisse published on GitHub 3 weeks ago

Caido has an insufficient patch for DNS rebind leading to RCE

Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0.

References

https://github.com/caido/caido/security/advisories/GHSA-3q5q-p8vj-8783 x_refsource_CONFIRM
https://github.com/caido/caido/security/advisories/GHSA-3q5q-p8vj-8783 x_refsource_CONFIRM

Affected products

caido

==< 0.55.0

Matching in nixpkgs

pkgs.caido

Lightweight web security auditing toolkit

nixos-unstable 0.55.1
- nixpkgs-unstable 0.55.1
- nixos-unstable-small 0.55.1
nixos-25.11 0.53.1
- nixos-25.11-small 0.53.1
- nixpkgs-25.11-darwin 0.53.1

Package maintainers

@zeshi09 blackzeshi <sergey_zhuzhgov@mail.ru>
@D3vil0p3r Antonio Voza <vozaanthony@gmail.com>
@octodi octodi <octodi@proton.me>

Upstream advisory: https://github.com/caido/caido/security/advisories/GHSA-3q5q-p8vj-8783

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0255

References

Affected products

Matching in nixpkgs

pkgs.caido

Package maintainers