CVE-2026-7010
HTTP::Tiny Perl Module CRLF Injection Vulnerability
Publication date: 2026-05-11
Last updated on: 2026-05-12
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in HTTP::Tiny versions before 0.093 for Perl, where the software does not validate CRLF (Carriage Return Line Feed) characters in HTTP request lines or control field header values.
Specifically, the inputs that are not validated include the HTTP method and URI in the request line, the URL host that becomes the Host header, and HTTP/1.1 control data field values.
An attacker who can control one of these inputs, such as a user-supplied URL passed to a webhook or URL fetch endpoint, can exploit this flaw to inject additional HTTP headers and perform request smuggling attacks to the upstream server.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject additional HTTP headers and smuggle requests to the upstream server.
Such attacks can lead to unauthorized actions, bypassing security controls, or manipulating the behavior of the server or application that relies on HTTP::Tiny.