x/vulndb: potential Go vuln in github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy: GHSA-7r4p-vjf4-gxv4

[GoVulnBot]

Advisory GHSA-7r4p-vjf4-gxv4 references a vulnerability in the following Go modules:

Module
github.com/caddyserver/caddy
github.com/caddyserver/caddy/v2

Description:

Summary

Caddy's forward_auth directive with copy_headers generates conditional header-set operations that only fire when the upstream auth service includes the named header in its response. No delete or remove operation is generated for the original client-supplied request header with the same name.

When an auth service returns 200 OK without one of the configured copy_headers headers, the client-supplied header passes through unchanged to the backend. Any requester holding a valid authentication token can inject arbitrary values for trusted identity headers, resulting in privileg...

References:

• ADVISORY: GHSA-7r4p-vjf4-gxv4
• ADVISORY: GHSA-7r4p-vjf4-gxv4
• FIX: forwardauth: Skip copying missing response headers caddyserver/caddy#6608
• FIX: forward_auth: copy_headers does not strip client-supplied identity headers (Fixes GHSA-7r4p-vjf4-gxv4) caddyserver/caddy#7545
• REPORT: ForwardAuth with copy_headers leaves template code in header if auth backend doesn't set that header caddyserver/caddy#6610

Cross references:

• github.com/caddyserver/caddy appears in 2 other report(s):
  • data/excluded/GO-2022-0474.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy: CVE-2022-29718 #474) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0544.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy: GHSA-m7gr-5w5g-36jf #544) EFFECTIVELY_PRIVATE
• github.com/caddyserver/caddy/v2 appears in 7 other report(s):
  • data/reports/GO-2023-1567.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy/v2: GHSA-qpm3-vr34-h8w8 #1567)
  • data/reports/GO-2026-4535.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver: GHSA-4xrr-hq4w-6vf4 #4535)
  • data/reports/GO-2026-4536.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy/fastcgi: GHSA-5r3v-vc8m-m96g #4536)
  • data/reports/GO-2026-4537.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy/v2: GHSA-879p-475x-rqh2 #4537)
  • data/reports/GO-2026-4538.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy/v2/modules/caddyhttp: GHSA-g7pc-pc7g-h8jh #4538)
  • data/reports/GO-2026-4539.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy/v2/modules/caddytls: GHSA-hffm-g8v7-wrv7 #4539)
  • data/reports/GO-2026-4541.yaml (x/vulndb: potential Go vuln in github.com/caddyserver/caddy/v2/modules/caddyhttp: GHSA-x76f-jf84-rqj8 #4541)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/caddyserver/caddy
      vulnerable_at: 1.0.5
    - module: github.com/caddyserver/caddy/v2
      versions:
        - introduced: 2.10.0
        - fixed: 2.11.2
      vulnerable_at: 2.11.1
summary: |-
    Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing
    Identity Injection and Privilege Escalation in github.com/caddyserver/caddy
cves:
    - CVE-2026-30851
ghsas:
    - GHSA-7r4p-vjf4-gxv4
references:
    - advisory: https://github.com/advisories/GHSA-7r4p-vjf4-gxv4
    - advisory: https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4
    - fix: https://github.com/caddyserver/caddy/pull/6608
    - fix: https://github.com/caddyserver/caddy/pull/7545
    - report: https://github.com/caddyserver/caddy/issues/6610
source:
    id: GHSA-7r4p-vjf4-gxv4
    created: 2026-03-07T00:01:50.671225642Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/753360 mentions this issue: data/reports: add 4 reports