Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.
The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,
GET /path\r\nHTTP/1.1\r\nHost: secret.example.com
Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
AnalysisAI
Header injection filtering bypass in Plack::Middleware::Security::Common (Perl) versions prior to 0.13.1 allows remote attackers to smuggle CRLF sequences and additional headers through request paths that are not double-encoded. The flaw weakens a security middleware specifically designed to prevent header injection, and while EPSS sits at 0.03% (9th percentile) with no public exploit identified at time of analysis, downstream impact depends on how reverse proxies and Plack-based servers handle the unblocked CRLF payloads.
Technical ContextAI
Plack is the Perl PSGI (Perl Server Gateway Interface) toolkit, and Plack::Middleware::Security::Common is a CPAN module by RRWO providing a collection of security middlewares for Plack-based web applications. The root cause is CWE-790 (Improper Filtering of Special Elements), where the middleware's header-injection rule only matched double-encoded CRLF (%250D%250A) patterns rather than raw or single-encoded CRLF (\r\n) in the request path. The affected component is identified by CPE cpe:2.3:a:rrwo:plack::middleware::security::common and the flaw resides in the regex/decoding logic intended to neutralize HTTP header smuggling and response-splitting payloads before they reach the upstream application.
RemediationAI
Vendor-released patch: upgrade Plack::Middleware::Security::Common to version 0.13.1 or later from CPAN (see https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes); a typical install via cpanm Plack::Middleware::Security::Common@0.13.1 followed by application restart is sufficient. As a compensating control until upgrade, configure the upstream reverse proxy (nginx, Apache, HAProxy) to reject request paths containing raw CRLF or %0D%0A sequences - note this may break clients that legitimately send unusual but valid percent-encoded paths. Additionally, audit the broader Plack stack for any logic that trusts the unsanitized PATH_INFO/REQUEST_URI, since the middleware was previously assumed to block such payloads.
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Rated critical severity
Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP c
Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to b
Same weakness CWE-790 – Improper Filtering of Special Elements
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32892
GHSA-xcq6-chp9-g954