Description
HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.

An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.
Published: 2026-05-11
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HTTP::Tiny versions before 0.093 accept control characters in the request line and in HTTP/1.1 control data without validating them. This omission allows an attacker who controls the method, URI, host header, or other HTTP/1.1 control fields to inject additional header lines into the request. The injected headers can alter how the upstream server interprets the request, leading to HTTP request smuggling or other header manipulation scenarios. The weakness is a lack of CRLF validation (CWE‑113).

Affected Systems

HAARG HTTP::Tiny. All releases prior to 0.093 are vulnerable. Applications that embed any of those older versions are susceptible. The fix is delivered in the 0.093‑TRIAL package and later revisions.

Risk and Exploitability

The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating no public evidence of exploitation yet. Exploitation requires the attacker to control input that is passed directly to HTTP::Tiny, such as a user‑supplied URL supplied to a webhook or fetch routine. When this condition is satisfied, request smuggling or header manipulation can occur. Although no CVSS score is provided, the potential impact on request integrity justifies timely remediation.

Generated by OpenCVE AI on May 12, 2026 at 00:21 UTC.

Remediation

Vendor Solution

Upgrade to HTTP-Tiny 0.093-TRIAL or later.

OpenCVE Recommended Actions

  • Upgrade to HTTP::Tiny 0.093‑TRIAL or newer
  • Validate or sanitize any URLs before passing them to HTTP::Tiny to ensure no CRLF or other control characters are present
  • Restrict untrusted user input that can be used as HTTP request components to a known safe set

Generated by OpenCVE AI on May 12, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 00:30:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.
Title HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values
Weaknesses CWE-113
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-11T23:19:47.588Z

Reserved: 2026-04-25T09:18:30.030Z

Link: CVE-2026-7010

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:14.750

Modified: 2026-05-12T00:17:03.203

Link: CVE-2026-7010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:30:04Z

Weaknesses