Sammiee5311

**Name of the Vulnerable Software and Affected Versions** Caddy versions 2.7.5 through 2.11.2 **Description** The `vars regexp` matcher in Caddy double-expands user-controlled input through the Caddy replacer. When `vars regexp` matches a placeholder like `{http.request.header.X-Input}`, the header value is resolved and then re-evaluated, allowing an attacker to inject placeholders like `{env.DATABASE URL}` or `{file./etc/passwd}` into a request header and potentially leak environment variables, file contents, and system information. This issue stems from a code-level inconsistency where `vars regexp` includes an unnecessary second expansion step not present in `header regexp` and `path regexp`. The issue was introduced by a fix intended to resolve placeholder keys. An attacker can exploit this by crafting requests with malicious headers, leading to information disclosure. The vulnerability allows access to environment variables, file contents (up to 1MB), and system information such as hostname and operating system details. **Recommendations** Update Caddy to version 2.11.2 or later.