This release includes 5 security fixes for security teams reviewing exposed deployments.
Topics
+8 more
Affected surfaces
ReleasePort's take
Moderate signalCaddy v2.11.4 delivers critical security patches for path matching, query handling, and TLS authentication.
Why it matters: Addresses two high‑severity vulnerabilities (GHSA-vcc4-2c75-vc9v and placeholder re‑expansion) that could enable injection attacks; upgrade to mitigate before exploitation.
Summary
AI summarySecurity patches across caddyhttp, rewrite, templates, caddytls, reverseproxy, and dependency upgrades.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Patch for GHSA-vcc4-2c75-vc9v fixes a vulnerability. Patch for GHSA-vcc4-2c75-vc9v fixes a vulnerability. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Security | High |
Prevent placeholder re-expansion in injected query to stop injection attacks. Prevent placeholder re-expansion in injected query to stop injection attacks. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Feature | Low |
Prioritize zstd and brotli over gzip in content negotiation. Prioritize zstd and brotli over gzip in content negotiation. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Feature | Low |
Support caddy start on IPv6‑only hosts. Support caddy start on IPv6‑only hosts. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Dependency | Low |
Upgrade dependencies across the project. Upgrade dependencies across the project. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Performance | Low |
Optimize memory allocation for file placeholders in replacer. Optimize memory allocation for file placeholders in replacer. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Normalize Windows backslashes in path matcher to avoid mismatches. Normalize Windows backslashes in path matcher to avoid mismatches. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Fix client authentication handling in caddytls. Fix client authentication handling in caddytls. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Resolve TLS state races and ECH rotation retry issues. Resolve TLS state races and ECH rotation retry issues. Source: llm_adapter@2026-06-03 Confidence: high |
— |
| Bugfix | Medium |
Fix incorrect error message on duplicate matchers in httpcaddyfile. Fix incorrect error message on duplicate matchers in httpcaddyfile. Source: llm_adapter@2026-06-03 Confidence: high |
— |
Full changelog
This release patches more security, security-adjacent, and normal bugs. The FrankenPHP project has collaborated on PHP-adjacent patches, which we are grateful for.
The recent surge of patches is mostly attributed to token predictors. We have had to reject more than 75% of "security" reports because they were AI slop spam (or just lazy/incorrect). Please use LLMs and agents wisely to avoid wasting precious maintainer resources. We have started blocking offending accounts that spam slop reports. Thank you to all who submit responsible reports following our security policy to make the project better. We appreciate that the community deems the Caddy project worthy of contribution to improve the broader ecosystem!
Security-related patches:
- caddyhttp: Normalize Windows backslashes in path matcher (thanks @Vincent550102)
- rewrite: Prevent placeholder re-expansion in injected query (thanks @WhiskerEnt)
- templates: Improved
stripHTMLaction to more reliably remove malformed HTML (thanks to @jmrcsnchz) - caddyhttp: Ignore header fields with underscores to prevent collisions (thanks @Vincent550102 for the report and @dunglas for the patch)
There are also several other various fixes and enhancements by many other contributors. Thank you everyone who participated!
What's Changed
- reverseproxy: further prevent body closes from dial errors by @jameshartig in https://github.com/caddyserver/caddy/pull/7715
- caddytls: Fix client auth (fix #7724) by @mholt in https://github.com/caddyserver/caddy/pull/7727
- chore: deps upgrade by @mohammed90 in https://github.com/caddyserver/caddy/pull/7751
- caddyhttp: omit Last-Modified for unusable mod times by @bb4242 in https://github.com/caddyserver/caddy/pull/7740
- caddytls: fix TLS state races and ECH rotation retry by @broady in https://github.com/caddyserver/caddy/pull/7756
- chore: clean up wording and typo fixes by @steadytao in https://github.com/caddyserver/caddy/pull/7745
- reverseproxy: Add regression test for DialInfo network override by @eyupcanakman in https://github.com/caddyserver/caddy/pull/7758
- caddyauth: add candidate placeholders for rejected identities by @steadytao in https://github.com/caddyserver/caddy/pull/7698
- cmd: support caddy start on IPv6-only hosts by @steadytao in https://github.com/caddyserver/caddy/pull/7744
- caddyfile: preserve implicit TLS issuer semantics by @steadytao in https://github.com/caddyserver/caddy/pull/7743
- reverseproxy: wraps request body to prevent closing if not read by @WeidiDeng in https://github.com/caddyserver/caddy/pull/7719
- caddytls: match IDN SNI in connection policies by @steadytao in https://github.com/caddyserver/caddy/pull/7742
- build(deps): bump the all-updates group across 1 directory with 9 updates by @dependabot[bot] in https://github.com/caddyserver/caddy/pull/7752
- caddyhttp: normalize Windows backslashes in path matcher by @Vincent550102 in https://github.com/caddyserver/caddy/pull/7763
- go.mod: update x/net by @steadytao in https://github.com/caddyserver/caddy/pull/7767
- rewrite: prevent placeholder re-expansion in injected query by @WhiskerEnt in https://github.com/caddyserver/caddy/pull/7761
- perf(replacer): optimize memory allocation for file placeholders by @Jualhosting in https://github.com/caddyserver/caddy/pull/7773
- caddytls: skip idna.ToASCII for pure ASCII SNI values by @sleet0922 in https://github.com/caddyserver/caddy/pull/7770
- encode: prioritize zstd and br over gzip in content negotiation by @Jualhosting in https://github.com/caddyserver/caddy/pull/7772
- httpcaddyfile: fix incorrect error message on duplicate matchers by @Brunotlps in https://github.com/caddyserver/caddy/pull/7780
- Patch for GHSA-vcc4-2c75-vc9v by @jmrcsnchz in https://github.com/caddyserver/caddy/pull/7785
New Contributors
- @jameshartig made their first contribution in https://github.com/caddyserver/caddy/pull/7715
- @bb4242 made their first contribution in https://github.com/caddyserver/caddy/pull/7740
- @broady made their first contribution in https://github.com/caddyserver/caddy/pull/7756
- @eyupcanakman made their first contribution in https://github.com/caddyserver/caddy/pull/7758
- @Vincent550102 made their first contribution in https://github.com/caddyserver/caddy/pull/7763
- @WhiskerEnt made their first contribution in https://github.com/caddyserver/caddy/pull/7761
- @Jualhosting made their first contribution in https://github.com/caddyserver/caddy/pull/7773
- @sleet0922 made their first contribution in https://github.com/caddyserver/caddy/pull/7770
- @Brunotlps made their first contribution in https://github.com/caddyserver/caddy/pull/7780
- @jmrcsnchz made their first contribution in https://github.com/caddyserver/caddy/pull/7785
Full Changelog: https://github.com/caddyserver/caddy/compare/v2.11.3...v2.11.4
Security Fixes
- GHSA-vcc4-2c75-vc9v — unspecified vulnerability patch
- caddyhttp: Normalize Windows backslashes in path matcher (prevents path traversal issues)
- rewrite: Prevent placeholder re-expansion in injected query (avoids injection attacks)
- templates: Improved `stripHTML` action to more reliably remove malformed HTML (mitigates XSS risks)
- caddyhttp: Ignore header fields with underscores to prevent collisions (addresses potential header manipulation)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About caddy
Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
Related context
Beta — feedback welcome: [email protected]