Caddy 2.10.2 Upgrade Leaves 18 High/Critical CVEs Unresolved in Upstream Dependencies

A critical vulnerability remediation effort for the Caddy web server has stalled, leaving 18 high and critical-severity security flaws unresolved despite an upgrade to version 2.10.2. The upgrade from version 2.10 reduced the count from 24 total high/critical findings to 18, but the remaining vulnerabilities are embedded in the Caddy binary's upstream dependencies, creating a persistent security exposure for deployments.

The internal investigation, tracked under issue #428, reveals the core problem is not within Caddy's own code but in the libraries it depends on. The initial scan showed 6 critical and 18 high vulnerabilities. After the patch to 2.10.2, the numbers improved only slightly to 4 critical and 14 high. This indicates that the official Caddy release does not yet include fixes for these underlying dependency-level CVEs, shifting the burden to downstream users and template maintainers to track upstream advisories.

The ongoing goals are to evaluate newer Caddy tags for further reductions, track upstream dependency fixes, and formulate a safe upgrade strategy for deployment templates. The acceptance criteria mandate evaluating candidate versions, documenting a selected target, and updating all references once a safer tag is validated. This situation places operational pressure on teams to continuously monitor a fragmented security patch landscape, as the safety of their web server infrastructure remains contingent on third-party library maintainers.