Nixpkgs security tracker
Activity log
- Created suggestion
Caddy's mTLS client authentication silently fails open when CA certificate file is missing or malformed
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.
References
-
https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7 x_refsource_CONFIRM
-
https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48 x_refsource_MISC
-
https://github.com/caddyserver/caddy/releases/tag/v2.11.1 x_refsource_MISC
Affected products
- ==< 2.11.1
Matching in nixpkgs
pkgs.caddy
Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
pkgs.xcaddy
Build Caddy with plugins
pkgs.caddyfile-language-server
Basic language server for caddyfile
pkgs.vimPlugins.nvim-treesitter-parsers.caddy
None
-
nixos-unstable 0.0.0+rev=2686186
- nixpkgs-unstable 0.0.0+rev=2686186
- nixos-unstable-small 0.0.0+rev=2686186
pkgs.tree-sitter-grammars.tree-sitter-caddyfile
Tree-sitter grammar for caddyfile
-
nixos-unstable 0-unstable-2025-12-16
- nixpkgs-unstable 0-unstable-2025-12-16
- nixos-unstable-small 0-unstable-2025-12-16
pkgs.vscode-extensions.matthewpi.caddyfile-support
Rich Caddyfile support for Visual Studio Code
pkgs.python313Packages.tree-sitter-grammars.tree-sitter-caddyfile
Python bindings for tree-sitter-caddyfile
-
nixos-unstable 0+unstable20251216
- nixpkgs-unstable 0+unstable20251216
- nixos-unstable-small 0+unstable20251216
pkgs.python314Packages.tree-sitter-grammars.tree-sitter-caddyfile
Python bindings for tree-sitter-caddyfile
-
nixos-unstable 0+unstable20251216
- nixpkgs-unstable 0+unstable20251216
- nixos-unstable-small 0+unstable20251216
Package maintainers
-
@stepbrobd Yifei Sun <ysun@hey.com>
-
@ryan4yin Ryan Yin <xiaoyin_c@qq.com>
-
@techknowlogick techknowlogick <techknowlogick@gitea.com>
-
@Br1ght0ne Oleksii Filonenko <brightone@protonmail.com>
-
@matthewpi Matthew Penner <me+nix@matthewp.io>
-
@tjni Theodore Ni <43ngvg@masqt.com>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>
-
@adfaure Adrien Faure <adfaure@pm.me>
-
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
-
@A-jay98 Ali Jamadi <ali@jamadi.me>
-
@aciceri Andrea Ciceri <andrea.ciceri@autistici.org>