Dunglas

**Name of the Vulnerable Software and Affected Versions** Caddy versions prior to 2.11.1 FrankenPHP versions prior to 1.11.2 **Description** Caddy and FrankenPHP are vulnerable to a path confusion issue due to incorrect handling of Unicode characters during case conversion in the FastCGI path splitting logic. The software computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters, leading to an incorrect `SCRIPT NAME`/`SCRIPT FILENAME` and `PATH INFO`. This can cause a request containing `.php` to execute a different on-disk file than intended. In setups where an attacker can control file contents, this can lead to unintended PHP execution of non-.php files, potentially resulting in remote code execution (RCE). The issue stems from the use of the `splitPos()` function, which calculates the split index based on the byte length of the lowercased path, and then applies this index to the original path. This can lead to a mismatch when Unicode characters that expand when lowercased are present in the path. **Recommendations** Caddy versions prior to 2.11.1: Upgrade to version 2.11.1 or later. FrankenPHP versions prior to 1.11.2: Upgrade to version 1.11.2 or later.