CVE-2026-7017
Received Received - Intake

HTTP::Tiny Credential Header Exposure in Redirects

Vulnerability report for CVE-2026-7017, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: CPANSec

Description

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
perl_toolchain_gang http_tiny to 0.095 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-7017 is a security vulnerability in the Perl HTTP::Tiny module versions before 0.095. The issue arises when the module follows HTTP 3xx redirects without properly checking if the redirect target shares the same origin as the original URL. Specifically, the module forwards sensitive headers such as Authorization, Cookie, and Proxy-Authorization to cross-origin redirect targets, including cases where the redirect downgrades from HTTPS to HTTP, exposing these credentials in plaintext.

This means that when a server responds with a redirect, HTTP::Tiny merges the caller's headers into the new request without verifying the destination's origin, potentially leaking sensitive authentication information to untrusted or malicious hosts.

Impact Analysis

This vulnerability can lead to the unintended exposure of sensitive authentication credentials such as Authorization headers and cookies to untrusted third-party domains during HTTP redirects. An attacker controlling a redirect target could capture these credentials, potentially gaining unauthorized access to protected resources or user accounts.

Additionally, the vulnerability allows HTTPS to HTTP downgrade redirects, which exposes credentials in plaintext over the network, increasing the risk of interception by attackers.

Mitigation Strategies

To mitigate CVE-2026-7017, update HTTP::Tiny to version 0.095 or later where the vulnerability is fixed.

The fix includes refusing HTTPS to HTTP redirects by default to prevent downgrade attacks and stripping Authorization, Cookie, and Proxy-Authorization headers on cross-origin redirects to avoid credential leakage.

If you must allow legacy behavior, explicitly set the new parameters `allow_downgrade` and `allow_credentialed_redirects` to true, but this is discouraged due to security risks.

Review your usage of HTTP::Tiny in your Perl applications to ensure these updated security settings are applied.

Compliance Impact

This vulnerability in HTTP::Tiny causes sensitive authentication credentials such as Authorization, Cookie, and Proxy-Authorization headers to be forwarded to cross-origin redirect targets, including insecure HTTP endpoints after HTTPS downgrades. This behavior can lead to credential leakage to untrusted domains.

Such leakage of sensitive authentication information can result in unauthorized access to protected resources and exposure of personal or confidential data, which may violate data protection requirements under regulations like GDPR and HIPAA.

The vulnerability increases the risk of non-compliance with these standards because it undermines the confidentiality and integrity of user credentials and potentially exposes personal data during HTTP redirects.

The fixes introduced in HTTP::Tiny, including stripping authentication headers on cross-origin redirects by default and refusing HTTPS to HTTP downgrades, help mitigate these risks and support compliance by preventing unintended credential exposure.

Detection Guidance

This vulnerability involves HTTP::Tiny versions before 0.095 forwarding credential headers (Authorization, Cookie, Proxy-Authorization) to cross-origin redirect targets, including HTTPS to HTTP downgrades, which can expose sensitive credentials.

To detect this vulnerability on your system, you should first identify if your Perl environment uses HTTP::Tiny versions prior to 0.095.

  • Check the installed HTTP::Tiny version with the Perl command: perl -MHTTP::Tiny -e 'print $HTTP::Tiny::VERSION, "\n"'
  • Review your application or scripts for usage of HTTP::Tiny and whether they handle redirects that might cross origins or downgrade from HTTPS to HTTP.
  • Monitor network traffic for HTTP requests that include Authorization or Cookie headers being sent to unexpected domains, especially after redirects.
  • Use network packet capture tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests containing sensitive headers sent to different origins after redirects.
  • Example tcpdump command to capture HTTP traffic with Authorization headers: tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i Authorization
  • Check application logs for unexpected redirects or credential forwarding behavior.

Since the vulnerability is specific to HTTP::Tiny's handling of redirects and headers, detection primarily involves verifying the HTTP::Tiny version and monitoring for credential leakage during redirects.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart