CVE-2026-7017

Source
https://cve.org/CVERecord?id=CVE-2026-7017
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7017.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7017
Downstream
Related
Published
2026-07-07T17:41:48.989Z
Modified
2026-07-10T03:54:14.487144085Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets
Details

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.

When the server returns a 3xx redirect, _maybe_redirect follows the Location: header and _prepare_headers_and_cb re-merges the caller's headers argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied Authorization, Cookie and Proxy-Authorization headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including https to http downgrades that expose them in plaintext on the wire.

The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7017.json",
    "cna_assigner": "CPANSec",
    "cwe_ids": [
        "CWE-522"
    ]
}
References

Affected packages

Git / github.com/perl-toolchain-gang/http-tiny

Affected ranges

Type
GIT
Repo
https://github.com/perl-toolchain-gang/http-tiny
Events
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.095"
        }
    ]
}

Affected versions

release-0.*
release-0.001
release-0.002
release-0.003
release-0.004
release-0.005
release-0.006
release-0.007
release-0.008
release-0.009
release-0.010
release-0.011
release-0.012
release-0.013
release-0.014
release-0.015
release-0.016
release-0.017
release-0.018
release-0.019
release-0.020
release-0.021
release-0.022
release-0.023
release-0.024
release-0.025
release-0.026
release-0.027
release-0.028
release-0.029
release-0.030
release-0.031
release-0.032
release-0.033
release-0.034
release-0.035
release-0.036
release-0.037
release-0.038
release-0.039
release-0.040
release-0.041
release-0.042
release-0.043
release-0.044
release-0.045
release-0.046
release-0.047
release-0.048
release-0.049
release-0.050
release-0.051
release-0.052
release-0.053
release-0.054
release-0.055
release-0.056
release-0.057
release-0.058
release-0.059
release-0.061
release-0.063
release-0.064
release-0.065
release-0.067
release-0.068
release-0.069
release-0.070
release-0.071
release-0.073
release-0.074
release-0.075
release-0.076
release-0.077
release-0.078
release-0.079
release-0.080
release-0.081
release-0.082
release-0.083
release-0.084
release-0.086
release-0.088
release-0.089
release-0.090
release-0.091
release-0.092
release-0.093
release-0.094

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7017.json"