Skip to main content

HTTP::Tiny CVE-2026-7017

| EUVDEUVD-2026-42072 HIGH
Insufficiently Protected Credentials (CWE-522)
2026-07-07 CPANSec GHSA-pgc4-5jjm-7rr7
7.1
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable, low-complexity credential disclosure needing no privileges but requiring the client to make a redirected request (UI:R); impact is pure confidentiality so I and A are N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 07, 2026 - 21:02 vuln.today
CVSS changed
Jul 07, 2026 - 19:22 NVD
7.1 (HIGH)
CVE Published
Jul 07, 2026 - 17:41 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.

When the server returns a 3xx redirect, _maybe_redirect follows the Location: header and _prepare_headers_and_cb re-merges the caller's headers argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied Authorization, Cookie and Proxy-Authorization headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including https to http downgrades that expose them in plaintext on the wire.

The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

AnalysisAI

Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect destination harvest sensitive headers. When a server answers with a 3xx redirect, HTTP::Tiny re-sends caller-supplied Authorization, Cookie and Proxy-Authorization headers to the new host without verifying it shares the original origin, including across scheme, host or port boundaries and over https-to-http downgrades that expose them in cleartext on the wire. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker controls redirect target
Delivery
Victim app sends request with Authorization/Cookie header
Exploit
Server returns 3xx to attacker origin
Execution
HTTP::Tiny re-sends credentials cross-origin
Impact
Attacker captures and replays credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete prerequisites: (1) the calling Perl code must pass a credential header - Authorization, Cookie, or Proxy-Authorization - via HTTP::Tiny's explicit `headers` argument; (2) automatic redirect following must be active, which is the default (HTTP::Tiny follows redirects unless max_redirect is lowered); and (3) the attacker must be able to make the requested server emit a 3xx `Location` pointing to an origin they control, either by owning/compromising that server or by acting as a man-in-the-middle. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to a moderate, disclosure-oriented risk rather than an urgent RCE-class emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application uses HTTP::Tiny to call an API with an explicit Authorization or Cookie header; an attacker who controls, has compromised, or can MITM that endpoint returns a 302 redirect pointing at attacker.example. HTTP::Tiny transparently follows the redirect and re-sends the same credential headers to the attacker's host, who logs the bearer token or session cookie and replays it. …
Remediation Vendor-released patch: upgrade HTTP::Tiny to 0.095 (initially published as the 0.095-TRIAL release at https://metacpan.org/release/HAARG/HTTP-Tiny-0.095-TRIAL/changes); the fixes are in commits 84984ef3, e7a03aed and 8f32ca89 (PR https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all internal applications and third-party dependencies using Perl HTTP::Tiny; document current versions and systems at risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy