Source: libhttp-tiny-perl
Version: 0.092-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:perl 5.40.1-8

Hi,

The following vulnerability was published for libhttp-tiny-perl.

CVE-2026-7017[0]:
| HTTP::Tiny versions before 0.095 for Perl forward credential headers
| to cross-origin redirect targets.  When the server returns a 3xx
| redirect, `_maybe_redirect` follows the `Location:` header and
| `_prepare_headers_and_cb` re-merges the caller's `headers` argument
| into the new request, without checking whether the redirect target
| shares an origin with the original URL. Caller-supplied
| `Authorization`, `Cookie` and `Proxy-Authorization` headers are
| therefore re-sent to whatever host the redirect names, across
| scheme, host or port boundaries, and including `https` to `http`
| downgrades that expose them in plaintext on the wire.  The
| HTTP::Tiny POD note that "Authorization headers will not be included
| in a redirected request" applied only to the URL-userinfo Basic-auth
| path, not to headers passed explicitly by the caller.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-7017
    https://www.cve.org/CVERecord?id=CVE-2026-7017
[1] https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36
[2] https://lists.security.metacpan.org/cve-announce/msg/41618211/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to