Caddy
Caddy is a modern HTTP server written in Go, notable for automatic HTTPS via Let's Encrypt and a declarative Caddyfile configuration. It is increasingly used in developer environments and AI deployment stacks as a lightweight reverse proxy. NVD tracks it as caddyserver:caddy.
Querying Caddy
caddy2.7.6, 2.6.4, 2.5.2curl "https://api.attestd.io/v1/check?product=caddy&version=2.6.0" \
-H "Authorization: Bearer $ATTESTD_KEY"Caddy 2.6.0 is affected by CVE-2023-44487 (HTTP/2 Rapid Reset). The aggregated response expects risk_state: "high".
{
"product": "caddy",
"version": "2.6.0",
"supported": true,
"risk_state": "high",
"risk_factors": [
"denial_of_service",
"internet_exposed_service",
"no_authentication_required",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "2.7.5",
"confidence": 0.76,
"cve_ids": ["CVE-2023-44487"],
"last_updated": "2026-02-23T18:21:30Z"
}Caddy 2.7.6 has no known relevant vulnerabilities at the time of the last synthesis run.
curl "https://api.attestd.io/v1/check?product=caddy&version=2.7.6" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
Caddy's CVE history is relatively thin compared to older servers. The most significant issue is the industry-wide HTTP/2 Rapid Reset (CVE-2023-44487), which affected all HTTP/2 server implementations. Additional CVEs will appear as NVD coverage for caddyserver:caddy matures.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2023-44487 | HTTP/2 Rapid Reset attack: server cancels streams via RST_STREAM without rate limiting, enabling high-volume denial of service. Affects all HTTP/2 servers. | < 2.7.5 | 7.5 |