HTTP Response Splitting Vulnerability in CGI::Simple by Perl
CVE-2025-40927

Currently unrated

Key Information:

Vendor

Manwar

Status
Cgi::simple
Vendor
CVE Published:
29 August 2025

What is CVE-2025-40927?

CGI::Simple versions prior to 1.282 contain a vulnerability that allows for HTTP response splitting, enabling attackers to exploit the flaw through HTTP response header injection. This can lead to reflected cross-site scripting (XSS), open redirection, and other malicious attacks. The vulnerability arises when attackers utilize URL-encoded values to manipulate query parameters, injecting newline characters (%0A) and causing the server to break its HTTP response. This capability allows attackers to craft arbitrary headers or even entire bodies within the response, facilitating a variety of attacks including cache poisoning and header manipulation.

Affected Version(s)

CGI::Simple 0 < 1.282

References

https://metacpan.org/release/MANWAR/CGI-Simple-1.281/sour...
related
https://metacpan.org/release/MANWAR/CGI-Simple-1.281/diff...
related
https://owasp.org/www-community/attacks/HTTP_Response_Spl...
technical-description

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maxim Kosenko
.
CVE-2025-40927 : HTTP Response Splitting Vulnerability in CGI::Simple by Perl