Nixpkgs security tracker

Untriaged

Permalink CVE-2026-27585

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

References

https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4 x_refsource_CONFIRM
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361 x_refsource_MISC
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398 x_refsource_MISC
https://github.com/caddyserver/caddy/releases/tag/v2.11.1 x_refsource_MISC

Affected products

caddy

==< 2.11.1

Matching in nixpkgs

pkgs.caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

nixos-unstable 2.11.1
- nixpkgs-unstable 2.11.1
- nixos-unstable-small 2.11.1
nixos-25.11 2.10.2
- nixos-25.11-small 2.10.2
- nixpkgs-25.11-darwin 2.10.2

pkgs.xcaddy

Build Caddy with plugins

nixos-unstable 0.4.5
- nixpkgs-unstable 0.4.5
- nixos-unstable-small 0.4.5
nixos-25.11 0.4.5
- nixos-25.11-small 0.4.5
- nixpkgs-25.11-darwin 0.4.5

pkgs.caddyfile-language-server

Basic language server for caddyfile

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.vimPlugins.nvim-treesitter-parsers.caddy

None

nixos-unstable 0.0.0+rev=2686186
- nixpkgs-unstable 0.0.0+rev=2686186
- nixos-unstable-small 0.0.0+rev=2686186
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin