Windows security advisory for Caddy < 2.6.3

Adrian Denkiewicz of Doyensec has reported a bug affecting some Caddy versions v2.6.2 and earlier that could reveal files described by the hide parameter of the file_server handler if a client crafts a request using ADS paths.

This bug was fixed here:

And was mentioned in the release notes which were announced then. The bug affected only Windows deployments.

Thank you to Adrian for the report and helping verify the fix!

1 Like

This topic was automatically closed after 120 days. New replies are no longer allowed.