Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Network-reachable, low-complexity credential disclosure needing no privileges but requiring the client to make a redirected request (UI:R); impact is pure confidentiality so I and A are N.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.
When the server returns a 3xx redirect, _maybe_redirect follows the Location: header and _prepare_headers_and_cb re-merges the caller's headers argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied Authorization, Cookie and Proxy-Authorization headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including https to http downgrades that expose them in plaintext on the wire.
The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
AnalysisAI
Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete prerequisites: (1) the calling Perl code must pass a credential header - Authorization, Cookie, or Proxy-Authorization - via HTTP::Tiny's explicit `headers` argument; (2) automatic redirect following must be active, which is the default (HTTP::Tiny follows redirects unless max_redirect is lowered); and (3) the attacker must be able to make the requested server emit a 3xx `Location` pointing to an origin they control, either by owning/compromising that server or by acting as a man-in-the-middle. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to a moderate, disclosure-oriented risk rather than an urgent RCE-class emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application uses HTTP::Tiny to call an API with an explicit Authorization or Cookie header; an attacker who controls, has compromised, or can MITM that endpoint returns a 302 redirect pointing at attacker.example. HTTP::Tiny transparently follows the redirect and re-sends the same credential headers to the attacker's host, who logs the bearer token or session cookie and replays it. … |
| Remediation | Vendor-released patch: upgrade HTTP::Tiny to 0.095 (initially published as the 0.095-TRIAL release at https://metacpan.org/release/HAARG/HTTP-Tiny-0.095-TRIAL/changes); the fixes are in commits 84984ef3, e7a03aed and 8f32ca89 (PR https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all internal applications and third-party dependencies using Perl HTTP::Tiny; document current versions and systems at risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in the http crate before 0.1.20 for Rust. Rated high severity (CVSS 7.5), this vulnerability is
An issue was discovered in the http package through 0.12.2 for Dart. Rated medium severity (CVSS 6.1), this vulnerabilit
HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.
HTTP::Tiny versions before 0.093 for Perl fail to validate carriage return and line feed (CRLF) characters in HTTP reque
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code i
react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Rated medium severity (CVSS
ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. Rated medium severity (CVSS 5.3), this
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42072
GHSA-pgc4-5jjm-7rr7