CVE-2022-29718: Open redirect in caddy
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.24334%
CWE
Published
6/3/2022
Updated
3/10/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/caddyserver/caddy | go | < 2.5.0 | 2.5.0 |
| github.com/caddyserver/caddy/v2 | go | < 2.5.0 | 2.5.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The critical commit b23bdcf in PR #4499 shows the fix involved reordering sanitization steps in MatchPath. Originally, it trimmed trailing dots/spaces before cleaning the path, which could leave unresolved '..' sequences after cleaning. This allowed attackers to craft URLs that bypass path normalization (e.g., '/..%2fevil.com' would become '/evil.com' after improper sanitization). The function's flawed order of operations directly enabled open redirects, as confirmed by the patch moving 'TrimRight' after path.Clean.