CVE-2026-7017 in HTTP::Tiny
Summary
by MITRE • 07/07/2026
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.
When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.
The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/07/2026
This vulnerability exists in HTTP::Tiny versions prior to 0.095 within the perl programming language ecosystem and represents a critical information disclosure flaw that violates fundamental security principles of credential handling during web requests. The issue stems from improper validation of cross-origin redirects where the library fails to verify whether redirect targets maintain the same origin as the initial request, creating a pathway for sensitive authentication data to be transmitted across network boundaries without proper authorization checks.
The technical implementation flaw occurs within the `_maybe_redirect` and `_prepare_headers_and_cb` functions that handle HTTP redirect processing. When a server responds with a 3xx status code, the library automatically follows the Location header but indiscriminately re-merges all caller-supplied headers including Authorization, Cookie, and Proxy-Authorization into the subsequent request without origin validation. This behavior directly contravenes security best practices established in web application security frameworks and creates an attack surface where credentials can be exposed to unintended recipients.
The operational impact of this vulnerability is severe as it enables credential leakage across arbitrary network boundaries including protocol downgrades from https to http, exposing sensitive authentication tokens, session cookies, and proxy credentials in plaintext form. An attacker could exploit this by crafting malicious redirects that point to attacker-controlled hosts, potentially capturing authentication data during normal web browsing or automated processes. This vulnerability specifically affects the HTTP::Tiny library's handling of explicit headers rather than automatic Basic-authentication header inclusion, making it particularly dangerous for applications that rely on explicit credential management.
From a cybersecurity perspective, this vulnerability maps directly to CWE-201 Information Exposure Through Sent Data and aligns with ATT&CK technique T1566.001 for credential access through phishing. The flaw demonstrates poor input validation and insufficient origin verification mechanisms, creating an environment where attackers can leverage legitimate redirect functionality to extract sensitive information. Organizations using HTTP::Tiny in their perl applications face significant risk of credential compromise when making requests that might encounter cross-origin redirects.
The recommended mitigation strategy involves upgrading to HTTP::Tiny version 0.095 or later where the library implements proper origin validation for redirect targets. Administrators should also review application code to ensure explicit header handling doesn't inadvertently bypass security controls, and implement network monitoring to detect unusual credential transmission patterns. Additionally, organizations should consider implementing additional layers of protection such as host header validation and strict transport security policies to minimize the impact of potential exploitation attempts.