CVE-2026-7017

NameCVE-2026-7017
DescriptionHTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1141638, 1141639

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libhttp-tiny-perl (PTS)bookworm0.082-2vulnerable
trixie0.090-1vulnerable
forky, sid0.092-3vulnerable
perl (PTS)bullseye5.32.1-4+deb11u3vulnerable
bullseye (security)5.32.1-4+deb11u5vulnerable
bookworm5.36.0-7+deb12u3vulnerable
bookworm (security)5.36.0-7+deb12u2vulnerable
trixie5.40.1-6vulnerable
forky, sid5.40.1-8vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libhttp-tiny-perlsource(unstable)(unfixed)1141638
perlsource(unstable)(unfixed)1141639

Notes

https://lists.security.metacpan.org/cve-announce/msg/41618211/
https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36
Fixed by: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/84984ef3930ddd4afcf5eb83b40d3cee200739c3 (release-0.095)
Fixed by: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/e7a03aedf2395158f2b0d3bad2df943349227bb3 (release-0.095)
Fixed by: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/8f32ca89e21c3ad0422adc698fa6ad17a193f55f (release-0.095)

Search for package or bug name: Reporting problems