← Back to feed
Update:
[HIGH] GHSA-3h23-rrpc-3p87: Caddy Defender trusted proxy client IP bypass
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Impact Caddy Defender used `r.RemoteAddr` when evaluating whether a request should be blocked. `RemoteAddr` is the address of the immediate peer connected to Caddy. In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually the proxy, not the ori
Why it matters → pkg.jsn.cam/caddy-defender released an update. Review the changelog for relevant changes.
Who should care → Teams using pkg.jsn.cam/caddy-defender.
pkg.jsn.cam/caddy-defender
View original source ↗Source payload preview
{
"ghsaId": "GHSA-3h23-rrpc-3p87",
"summary": "Caddy Defender trusted proxy client IP bypass",
"severity": "HIGH",
"updatedAt": "2026-05-19T20:29:18Z",
"references": [
{
"url": "https://github.com/JasonLovesDoggo/caddy-defender/security/advisories/GHSA-3h23-rrpc-3p87"
},
{
"url": "https://github.com/JasonLovesDoggo/caddy-defender/pull/139"
},
{
"url": "https://github.com/advisories/GHSA-3h23-rrpc-3p87"
}
],
"description": "### Impact\n\nCaddy Defender used `r.RemoteAddr` when evaluating whether a request should be blocked. `RemoteAddr` is the address of the immediate peer connected to Caddy.\n\nIn deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually the proxy, not the original client.
…