Login Sign Up

CVE-2022-34037

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-34037 is an out-of-bounds read vulnerability in Caddy web server's rewrite module that can cause denial of service. Attackers can crash the server by sending specially crafted URIs. This affects administrators running Caddy with rewrite rules that process malformed request URIs.

💻 Affected Systems

Products:
  • Caddy
Versions: v2.5.1 specifically (disputed vulnerability in other versions)
Operating Systems: All platforms running Caddy
Default Config Vulnerable: ✅ No
Notes: Only vulnerable with specific rewrite configurations that process malformed URIs. The vulnerability has been disputed as a bug rather than security issue.

📦 What is this software?

Caddy by Caddyserver

View all CVEs affecting Caddy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption where Caddy crashes and stops serving requests, requiring manual restart.

🟠

Likely Case

Partial service disruption where specific requests cause empty responses but server remains running.

🟢

If Mitigated

No impact if proper rewrite configurations are used and malformed URIs are filtered upstream.

🌐 Internet-Facing: MEDIUM - Requires specific rewrite configuration and malformed URIs, but internet-facing servers are exposed to crafted requests.
🏢 Internal Only: LOW - Internal servers have limited exposure to crafted attack traffic.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted URIs to vulnerable rewrite configurations. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.5.2 and later

Vendor Advisory: https://github.com/caddyserver/caddy/issues/4775

Restart Required: Yes

Instructions:

1. Update Caddy to v2.5.2 or later using your package manager or download from caddyserver.com. 2. Restart the Caddy service. 3. Verify the version with 'caddy version'.

🔧 Temporary Workarounds

Remove or fix rewrite rules

all

Review and fix rewrite configurations that might process malformed URIs

Review Caddyfile rewrite directives
Test rewrite rules with various URI formats

Implement request filtering

all

Add middleware to filter malformed URIs before they reach rewrite module

Add try_files or other validation middleware in Caddyfile

🧯 If You Can't Patch

  • Implement WAF or reverse proxy to filter malformed URIs before they reach Caddy
  • Monitor logs for unusual URI patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check if running Caddy v2.5.1 with rewrite rules that might process malformed URIs

Check Version:

caddy version

Verify Fix Applied:

Confirm Caddy version is v2.5.2 or later and test with previously problematic URIs

📡 Detection & Monitoring

Log Indicators:

  • Empty HTTP responses
  • Panic logs from rewrite module
  • Unusual URI patterns in access logs

Network Indicators:

  • HTTP requests with malformed URIs
  • Sudden drop in successful responses

SIEM Query:

source="caddy" AND (message="panic" OR status="-" OR uri="*malformed*")

📊 Metadata

CVE ID: CVE-2022-34037
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: July 22, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-34037, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)