Lwp
Monthly
Credential leakage in LWP::UserAgent before 6.83 (Perl) exposes Authorization and Proxy-Authorization headers to attacker-controlled redirect targets across cross-origin 3xx redirects. The library's redirect handler stripped only Host and Cookie on follow-up requests, leaving credential headers intact even when the redirect crossed a scheme, host, or port boundary. Authenticated Perl HTTP clients - including server-side applications, crawlers, API integrators, and automation tooling - are affected whenever caller-supplied credentials are passed to a UserAgent instance that can be redirected. No public exploit has been independently confirmed beyond the proof-of-concept submitted with the vulnerability report, and CISA KEV does not list this CVE; however, the exploitation pattern is straightforward and mirrors a well-documented class of credential-leakage flaws in HTTP client libraries.
Credential leakage in LWP::UserAgent before 6.83 (Perl) exposes Authorization and Proxy-Authorization headers to attacker-controlled redirect targets across cross-origin 3xx redirects. The library's redirect handler stripped only Host and Cookie on follow-up requests, leaving credential headers intact even when the redirect crossed a scheme, host, or port boundary. Authenticated Perl HTTP clients - including server-side applications, crawlers, API integrators, and automation tooling - are affected whenever caller-supplied credentials are passed to a UserAgent instance that can be redirected. No public exploit has been independently confirmed beyond the proof-of-concept submitted with the vulnerability report, and CISA KEV does not list this CVE; however, the exploitation pattern is straightforward and mirrors a well-documented class of credential-leakage flaws in HTTP client libraries.