๐Ÿ” CVE Alert

CVE-2026-7017

HIGH 7.1

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets

CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

CWE CWE-522
Vendor haarg
Product http::tiny
Published Jul 7, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for haarg http::tiny

Be the first to know when new high vulnerabilities affecting haarg http::tiny are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

HAARG / HTTP::Tiny
0 < 0.095

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36 github.com: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/84984ef3930ddd4afcf5eb83b40d3cee200739c3.patch github.com: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/e7a03aedf2395158f2b0d3bad2df943349227bb3.patch github.com: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/8f32ca89e21c3ad0422adc698fa6ad17a193f55f.patch metacpan.org: https://metacpan.org/release/HAARG/HTTP-Tiny-0.095-TRIAL/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/07/07/13