NIXPKGS-2026-0354

GitHub issue published on

Permalink CVE-2026-27585

updated 3 months ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
7 packages
- xcaddy
- caddyfile-language-server
- vimPlugins.nvim-treesitter-parsers.caddy
- tree-sitter-grammars.tree-sitter-caddyfile
- vscode-extensions.matthewpi.caddyfile-support
- python313Packages.tree-sitter-grammars.tree-sitter-caddyfile
- python314Packages.tree-sitter-grammars.tree-sitter-caddyfile
3 months ago
@LeSuisse accepted 3 months ago
@LeSuisse deleted
4 maintainers
- @ryan4yin
- @techknowlogick
- @Br1ght0ne
- @stepbrobd
3 months ago maintainer.delete
@LeSuisse published on GitHub 3 months ago

Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

References

https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4 x_refsource_CONFIRM
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361 x_refsource_MISC
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398 x_refsource_MISC
https://github.com/caddyserver/caddy/releases/tag/v2.11.1 x_refsource_MISC

Affected products

caddy

==< 2.11.1

Matching in nixpkgs

pkgs.caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

nixos-unstable 2.10.2
- nixpkgs-unstable 2.10.2
- nixos-unstable-small 2.11.1
nixos-25.11 2.10.2
- nixos-25.11-small 2.10.2
- nixpkgs-25.11-darwin 2.10.2

Ignored packages (7)

pkgs.xcaddy

Build Caddy with plugins

nixos-unstable 0.4.5
- nixpkgs-unstable 0.4.5
- nixos-unstable-small 0.4.5
nixos-25.11 0.4.5
- nixos-25.11-small 0.4.5
- nixpkgs-25.11-darwin 0.4.5

pkgs.caddyfile-language-server

Basic language server for caddyfile

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.vimPlugins.nvim-treesitter-parsers.caddy

None

nixos-unstable 0.0.0+rev=2686186
- nixpkgs-unstable 0.0.0+rev=2686186
- nixos-unstable-small 0.0.0+rev=2686186
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.tree-sitter-grammars.tree-sitter-caddyfile

Tree-sitter grammar for caddyfile

nixos-unstable 0-unstable-2025-12-16
- nixpkgs-unstable 0-unstable-2025-12-16
- nixos-unstable-small 0-unstable-2025-12-16

pkgs.vscode-extensions.matthewpi.caddyfile-support

Rich Caddyfile support for Visual Studio Code

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0
nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-caddyfile

Python bindings for tree-sitter-caddyfile

nixos-unstable 0+unstable20251216
- nixpkgs-unstable 0+unstable20251216
- nixos-unstable-small 0+unstable20251216

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-caddyfile