Skip to main content

Plack::Middleware::XSendfile CVE-2026-7381

CRITICAL
Information Exposure (CWE-200)
2026-04-29 CPANSec
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 30, 2026 - 14:22 vuln.today
CVSS changed
Apr 30, 2026 - 14:22 NVD
9.1 (CRITICAL)
Analysis Generated
Apr 29, 2026 - 23:00 vuln.today
CVE Published
Apr 29, 2026 - 22:13 nvd
CRITICAL 9.1

DescriptionCVE.org

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.

Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.

A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.

Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.

This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

AnalysisAI

Plack::Middleware::XSendfile through version 1.0053 allows remote unauthenticated attackers to read arbitrary files from nginx-proxied servers by injecting malicious X-Sendfile-Type and X-Accel-Mapping headers. When the middleware's sendfile type is not explicitly configured, clients can force nginx's X-Accel-Redirect mode and manipulate path mappings to access sensitive files outside intended directories. The middleware has been deprecated as of version 1.0053 and will be removed in future Plack releases. EPSS score of 0.01% suggests low current exploitation activity despite the high CVSS 9.1 rating. No public exploit code identified at time of analysis, though the attack technique mirrors the documented CVE-2025-61780 vulnerability in Rack::Sendfile.

Technical ContextAI

Plack::Middleware::XSendfile is a Perl middleware component that delegates static file serving to web servers (nginx, Apache, lighttpd) using X-Sendfile mechanisms for performance optimization. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) where the middleware accepts client-controlled X-Sendfile-Type headers to determine the file-serving mechanism. When deployed behind nginx reverse proxies, attackers can inject X-Sendfile-Type: X-Accel-Redirect combined with X-Accel-Mapping headers to rewrite file paths. Nginx's X-Accel-Redirect feature, designed for internal redirects to protected resources, becomes exploitable when path mappings are client-controlled. Unlike the related Rack::Sendfile CVE-2025-61780, Plack's implementation disallows regex patterns in mappings and restricts mapping application to X-Accel-Redirect type only, providing partial mitigation. The affected CPE (cpe:2.3:a:miyagawa:plack::middleware::xsendfile:*:*:*:*:*:*:*:*) identifies all versions through 1.0053.

RemediationAI

Remove Plack::Middleware::XSendfile from application middleware stacks entirely, as it is deprecated in version 1.0053 and scheduled for removal from future Plack releases per vendor advisory at https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE. If immediate removal is not feasible, implement the following compensating controls: explicitly set the variation parameter in the middleware constructor to a fixed value (e.g., 'X-Sendfile' for Apache or 'X-Lighttpd-Send-File' for lighttpd) to prevent client override via X-Sendfile-Type headers; validate and sanitize all file paths passed to XSendfile mechanisms using allowlists of permitted directories; configure nginx to reject or strip X-Sendfile-Type and X-Accel-Mapping headers from client requests at the reverse proxy layer (note this may break legitimate application functionality if these headers are expected). For nginx deployments specifically, restrict internal location blocks used with X-Accel-Redirect to only serve from explicitly defined safe directories, and audit nginx configuration for overly permissive internal directives. Migration path: replace XSendfile middleware with direct Plack::App::File or PSGI-native static file serving, accepting the performance trade-off, or implement application-level file serving with explicit path validation.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-7381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy