Cross-Origin Redirect Vulnerability in HTTP::Tiny for Perl
CVE-2026-7017

Currently unrated

Key Information:

Vendor

Haarg

Vendor
CVE Published:
7 July 2026

What is CVE-2026-7017?

A vulnerability exists in HTTP::Tiny for Perl that allows the unintentional exposure of sensitive credentials such as Authorization and Cookie headers. In versions prior to 0.095, when a server issues a 3xx redirect, the library follows the redirect without confirming that the new target shares the same origin as the original request. This can lead to the re-sending of these headers to arbitrary domains, potentially resulting in credential leakage. Furthermore, this issue may allow HTTPS requests to downgrade to HTTP, exposing these headers in plaintext. The library's documentation misleads users by indicating that Authorization headers are excluded, which only applies to Basic-auth paths, and does not prevent vulnerability through other supplied headers.

Affected Version(s)

HTTP::Tiny 0 < 0.095

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.