github.com/mholt/caddy is vulnerable to hostname enumeration. The vulnerability is possible because the library does not properly return correct certificates if the request is invalid. Using this loophole, an attacker can intentionally send repeated invalid requests with a nonexistent hostname in the host header to enumerate through all the certificates on the server.