CVE-2026-7017 PUBLISHED

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets

Assigner: CPANSec
Reserved: 25.04.2026 Published: 07.07.2026 Updated: 07.07.2026

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.

When the server returns a 3xx redirect, _maybe_redirect follows the Location: header and _prepare_headers_and_cb re-merges the caller's headers argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied Authorization, Cookie and Proxy-Authorization headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including https to http downgrades that expose them in plaintext on the wire.

The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

Product Status

Vendor HAARG
Product HTTP::Tiny
Versions Default: unaffected
  • affected from 0 to 0.095 (excl.)

Solutions

Upgrade to HTTP-Tiny 0.095-TRIAL or later.

References

Problem Types

  • CWE-522 Insufficiently Protected Credentials CWE