CVE-2025-40927
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-08-29
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perl | cgi_simple | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-40927 is an HTTP response splitting vulnerability in CGI::Simple versions before 1.282 for Perl. It occurs because the software improperly validates input in HTTP headers, allowing an attacker to inject newline characters (%0A) into query parameters. This injection causes the server to split the HTTP response, enabling the attacker to insert arbitrary headers or even HTML/JavaScript content into the response. This can lead to reflected cross-site scripting (XSS), open redirects, cache poisoning, and header manipulation. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to manipulate HTTP responses from your server. Specifically, they can inject malicious scripts (reflected XSS), redirect users to malicious sites (open redirect), poison caches to serve harmful content, or manipulate HTTP headers to alter server behavior. These impacts can compromise user security, trust, and the integrity of your web application. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if HTTP headers accept CR (%0d) and LF (%0a) characters injected via query parameters or headers, causing response splitting. You can use tools like curl or netcat to send crafted HTTP requests with injected %0a or %0d characters in parameters and observe if the server response is split or contains injected headers or body content. For example, using curl: curl -v 'http://target/?param=normal%0aInjected-Header: value' and checking if the response includes 'Injected-Header'. Alternatively, intercept HTTP requests with a proxy (e.g., Burp Suite) and modify parameters to include %0a or %0d to test for header injection and response splitting. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and sanitization to prevent CR (%0d) and LF (%0a) characters from being included in HTTP headers derived from user input. Ensure that any user-supplied data used in HTTP headers is properly encoded or filtered to disallow newline characters. Additionally, update to a fixed or patched version of CGI::Simple (version 1.282 or later) that addresses this vulnerability. If updating is not immediately possible, consider applying temporary filters or web application firewall (WAF) rules to block requests containing suspicious newline characters in parameters. [2]