Miggo Logo
Miggo Vulnerability Database
CVE-2022-29718

CVE-2022-29718: Open redirect in caddy

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-29718
GHSA ID
GHSA-2927-hv3p-f3vp
EPSS Score
0.24334%
CWE
CWE-601
Published
6/3/2022
Updated
3/10/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/caddyserver/caddygo< 2.5.02.5.0
github.com/caddyserver/caddy/v2go< 2.5.02.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The critical commit b23bdcf in PR #4499 shows the fix involved reordering sanitization steps in MatchPath. Originally, it trimmed trailing dots/spaces before cleaning the path, which could leave unresolved '..' sequences after cleaning. This allowed attackers to craft URLs that bypass path normalization (e.g., '/..%2fevil.com' would become '/evil.com' after improper sanitization). The function's flawed order of operations directly enabled open redirects, as confirmed by the patch moving 'TrimRight' after path.Clean.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****y v*.* w*s *is*ov*r** to *ont*in *n op*n r**ir**t vuln*r**ility. * r*mot* un*ut**nti**t** *tt**k*r m*y *xploit t*is vuln*r**ility to r**ir**t us*rs to *r*itr*ry w** URLs *y tri*kin* t** vi*tim us*rs to *li*k on *r**t** links.

Reasoning

T** *riti**l *ommit ******* in PR #**** s*ows t** *ix involv** r*or**rin* s*nitiz*tion st*ps in `M*t**P*t*`. Ori*in*lly, it trimm** tr*ilin* *ots/sp***s ***or* *l**nin* t** p*t*, w*i** *oul* l**v* unr*solv** '..' s*qu*n**s **t*r *l**nin*. T*is *llow*