Summary
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
References
Related vulnerabilities
All Supply chain →- CRITICALGHSA-4XPC-PV4P-PM3W
LiteLLM: Authentication Bypass via Host Header Injection
- MEDIUMGHSA-JVC7-762P-3743
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
- CRITICALGHSA-94F4-HR76-P5J6
vLLM: OpenAI auth bypass
- MEDIUMGHSA-HVCG-QMG6-JM4C
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
- LOWGHSA-4PX2-PW77-VC85
SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec
- HIGHSC-DEPENDABOT-IMPERSONATION-2023
Between July 8 and July 11, 2023, in a campaign documented by Checkmarx, attackers pushed malicious commits to hundreds of public and private GitHub repositories while disguising them as automated contributions from the legitimate Dependabot bot. The attackers obtained victims' GitHub Personal Access Tokens, likely exfiltrated from developer machines via a malicious open-source package, and used those tokens to push commits whose author and commit message ('fix') were falsified to appear as the dependabot[bot] account, since Git and the GitHub API let a token holder set arbitrary commit metadata and PAT activity does not surface in the account audit log. Each malicious commit added a GitHub Actions workflow file (hook.yml) that triggered on every push and exfiltrated the project's defined secrets and environment variables to an attacker-controlled command-and-control server. The same commits modified existing JavaScript files in the repository, injecting obfuscated web-form password-stealer code that captured credentials submitted by end users and forwarded them to the same server. Most affected accounts belonged to Indonesian developers.