Improper Verification of Cryptographic Signature Affecting caddy package, versions <2.11.0-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.13% (4th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-CADDY-15325100
  • published21 Feb 2026
  • disclosed6 Feb 2026

Introduced: 6 Feb 2026

CVE-2026-25793  (opens in a new tab)
CWE-347  (opens in a new tab)

How to fix?

Upgrade Chainguard caddy to version 2.11.0-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream caddy package and not the caddy package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3.

CVSS Base Scores

version 3.1