Listen to this Post
The vulnerability exists in TopicSelectorStore where cache keys are built by concatenating topic selector and topic with an underscore: k = “m_” + selector + “_” + topic. Since both inputs may contain underscores, two different pairs can collide. For example, selector “foo_bar” with topic “baz” yields key “m_foo_bar_baz”, while selector “foo” with topic “bar_baz” yields the same key. An attacker who can subscribe or publish crafted topic names can poison this cache. When a collision occurs, the cache returns a stored match result for a different (selector, topic) pair. This can cause private updates to be delivered to unauthorized subscribers or block delivery to authorized ones because authorization checks rely on the cached match. The cache is used internally to speed up topic selector evaluation. By exploiting the collision, the attacker bypasses these checks, leading to potential information disclosure or denial of service. The fix replaces the string key with a typed Go struct key (matchCacheKey{topicSelector, topic}) which is collision-free. The internal sharded cache abstraction was also removed in favor of a single typed otter cache. Users should upgrade to v0.22.0 or later. Workaround: disable the cache entirely by setting topic_selector_cache to -1 in Caddyfile or cache size 0 in library mode, sacrificing performance.
Platform: Caddy
Version: <0.22.0
Vulnerability: Cache key collision
Severity: Medium
date: 2024-03-15
Prediction: Patch already available
What Undercode Say:
Check current Caddy version caddy version Verify vulnerable cache key pattern (simulated) echo "m_foo_bar_baz" | grep -E '^m_.+_.+$' Disable cache as workaround (Caddyfile) echo "topic_selector_cache -1" >> Caddyfile Upgrade to patched version caddy upgrade --version 0.22.0
Exploit:
Attacker subscribes with selector “foo_bar” topic “baz” to poison cache entry for (“foo”,”bar_baz”). Then publishes private update for topic “bar_baz” expecting selector “foo” – cache returns match for (“foo_bar”,”baz”) causing unauthorized delivery.
Protection from this CVE:
Upgrade to v0.22.0+ or disable topic selector cache (set size 0 or -1). After upgrade, typed struct keys prevent any collision.
Impact:
Private updates leak to unauthorized subscribers or legitimate subscribers miss updates, breaking confidentiality and availability of topic-based messaging.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

