Plack::Middleware::XSendfile CVE-2026-7381
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.
Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.
A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.
Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.
This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.
AnalysisAI
Plack::Middleware::XSendfile through version 1.0053 allows remote unauthenticated attackers to read arbitrary files from nginx-proxied servers by injecting malicious X-Sendfile-Type and X-Accel-Mapping headers. When the middleware's sendfile type is not explicitly configured, clients can force nginx's X-Accel-Redirect mode and manipulate path mappings to access sensitive files outside intended directories. The middleware has been deprecated as of version 1.0053 and will be removed in future Plack releases. EPSS score of 0.01% suggests low current exploitation activity despite the high CVSS 9.1 rating. No public exploit code identified at time of analysis, though the attack technique mirrors the documented CVE-2025-61780 vulnerability in Rack::Sendfile.
Technical ContextAI
Plack::Middleware::XSendfile is a Perl middleware component that delegates static file serving to web servers (nginx, Apache, lighttpd) using X-Sendfile mechanisms for performance optimization. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) where the middleware accepts client-controlled X-Sendfile-Type headers to determine the file-serving mechanism. When deployed behind nginx reverse proxies, attackers can inject X-Sendfile-Type: X-Accel-Redirect combined with X-Accel-Mapping headers to rewrite file paths. Nginx's X-Accel-Redirect feature, designed for internal redirects to protected resources, becomes exploitable when path mappings are client-controlled. Unlike the related Rack::Sendfile CVE-2025-61780, Plack's implementation disallows regex patterns in mappings and restricts mapping application to X-Accel-Redirect type only, providing partial mitigation. The affected CPE (cpe:2.3:a:miyagawa:plack::middleware::xsendfile:*:*:*:*:*:*:*:*) identifies all versions through 1.0053.
RemediationAI
Remove Plack::Middleware::XSendfile from application middleware stacks entirely, as it is deprecated in version 1.0053 and scheduled for removal from future Plack releases per vendor advisory at https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE. If immediate removal is not feasible, implement the following compensating controls: explicitly set the variation parameter in the middleware constructor to a fixed value (e.g., 'X-Sendfile' for Apache or 'X-Lighttpd-Send-File' for lighttpd) to prevent client override via X-Sendfile-Type headers; validate and sanitize all file paths passed to XSendfile mechanisms using allowlists of permitted directories; configure nginx to reject or strip X-Sendfile-Type and X-Accel-Mapping headers from client requests at the reverse proxy layer (note this may break legitimate application functionality if these headers are expected). For nginx deployments specifically, restrict internal location blocks used with X-Accel-Redirect to only serve from explicitly defined safe directories, and audit nginx configuration for overly permissive internal directives. Migration path: replace XSendfile middleware with direct Plack::App::File or PSGI-native static file serving, accepting the performance trade-off, or implement application-level file serving with explicit path validation.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today