CVE-2026-9658
Header Injection in Plack Middleware Security Common
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plack | middleware | to 0.13.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| CWE-790 | The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Plack::Middleware::Security::Common versions before 0.13.1 for Perl. It fails to block header injections in request paths effectively.
Specifically, the rule intended to block header injections does not work unless the injections are double-encoded. For example, an attacker could send a request like GET /path\r\nHTTP/1.1\r\nHost: secret.example.com to inject headers.
It is also unclear how reverse proxies or Plack-based servers handle such request paths containing CRLF sequences followed by additional headers.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform header injection attacks by inserting malicious headers into HTTP requests.
Such injections could potentially manipulate how requests are processed by servers or proxies, possibly leading to security issues like request smuggling, cache poisoning, or unauthorized access.
However, the exact impact depends on how the affected servers and proxies handle these malformed requests, which is unclear.