When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.
The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Solution
Upgrade to HTTP-Tiny 0.095-TRIAL or later.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 07 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Haarg
Haarg http::tiny |
|
| Vendors & Products |
Haarg
Haarg http::tiny |
Tue, 07 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Tue, 07 Jul 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller. | |
| Title | HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets | |
| Weaknesses | CWE-522 | |
| References |
|
|
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-07T20:35:36.874Z
Reserved: 2026-04-25T10:30:05.190Z
Link: CVE-2026-7017
Updated: 2026-07-07T18:30:54.573Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T20:15:03Z